Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SureDI.exe

Overview

General Information

Sample name:SureDI.exe
Analysis ID:1523277
MD5:1a6a5dbfd0a009f1d1738eb4abd18316
SHA1:6d1598d23209aec395263376f6fb753100031cae
SHA256:e8ee9c2ba8f88c3a4c6d3221327c0242c17ad9204f6830e12adfbe6e00981b20
Infos:

Detection

Score:26
Range:0 - 100
Whitelisted:false
Confidence:0%

Compliance

Score:49
Range:0 - 100

Signatures

Loading BitLocker PowerShell Module
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Suspicious Execution From GUID Like Folder Names
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • SureDI.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\SureDI.exe" MD5: 1A6A5DBFD0A009F1D1738EB4ABD18316)
    • SureDI.exe (PID: 7344 cmdline: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe /q"C:\Users\user\Desktop\SureDI.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}" /IS_temp MD5: 1A6A5DBFD0A009F1D1738EB4ABD18316)
      • msiexec.exe (PID: 7396 cmdline: "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\Rigaku SureDI.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="SureDI.exe" MD5: E5DA170027542E25EDE42FC54C929077)
      • explorer.exe (PID: 3244 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • msiexec.exe (PID: 7456 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7516 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding CDB15B2CE92E28F3B8622149A9799E65 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7800 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 72C84AB51E330DD7B93C0FC1C98E56AC MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7980 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 61343986035DDA98571FD63CB9C8F73D E Global\MSI0000 MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 1344 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 60E1AB94C32A1ADB74E0CFD4F89B3AA8 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • svchost.exe (PID: 7720 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\msiexec.exe, ProcessId: 7980, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wi11rsnj.hig.ps1
Sigma detected: Suspicious Execution From GUID Like Folder Names
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\Rigaku SureDI.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="SureDI.exe", CommandLine: "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\Rigaku SureDI.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="SureDI.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\msiexec.exe, NewProcessName: C:\Windows\System32\msiexec.exe, OriginalFileName: C:\Windows\System32\msiexec.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe /q"C:\Users\user\Desktop\SureDI.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}" /IS_temp, ParentImage: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe, ParentProcessId: 7344, ParentProcessName: SureDI.exe, ProcessCommandLine: "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\Rigaku SureDI.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="SureDI.exe", ProcessId: 7396, ProcessName: msiexec.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7720, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00495C46 CryptReleaseContext,0_2_00495C46
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00495C7E CryptDestroyHash,0_2_00495C7E
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00495C98 CryptDestroyKey,0_2_00495C98
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00495DC9 CryptExportKey,0_2_00495DC9
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0049604C CryptGetHashParam,GetLastError,CryptGetHashParam,0_2_0049604C
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0049620A CryptHashData,0_2_0049620A
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00496296 CryptImportKey,0_2_00496296
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00496320 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,0_2_00496320
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0049663C CoCreateGuid,StringFromGUID2,_wcsncpy,CryptAcquireContextW,CryptCreateHash,0_2_0049663C
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_004969CD CryptGetHashParam,GetLastError,CryptSetHashParam,0_2_004969CD
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00496A5A CryptAcquireContextW,CryptReleaseContext,CryptDestroyHash,0_2_00496A5A
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00496DB9 SetFilePointer,CryptSignHashW,GetLastError,CryptSignHashW,WriteFile,WriteFile,WriteFile,SetFilePointer,0_2_00496DB9
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00495C46 CryptReleaseContext,1_2_00495C46
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00495C7E CryptDestroyHash,1_2_00495C7E
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00495C98 CryptDestroyKey,1_2_00495C98
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00495DC9 CryptExportKey,1_2_00495DC9
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0049604C CryptGetHashParam,GetLastError,CryptGetHashParam,1_2_0049604C
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0049620A CryptHashData,1_2_0049620A
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00496296 CryptImportKey,1_2_00496296
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00496320 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,1_2_00496320
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0049663C CoCreateGuid,StringFromGUID2,_wcsncpy,CryptAcquireContextW,CryptCreateHash,1_2_0049663C
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_004969CD CryptGetHashParam,GetLastError,CryptSetHashParam,1_2_004969CD
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00496A5A CryptAcquireContextW,CryptReleaseContext,CryptDestroyHash,1_2_00496A5A
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00496DB9 SetFilePointer,CryptSignHashW,GetLastError,CryptSignHashW,WriteFile,WriteFile,WriteFile,SetFilePointer,1_2_00496DB9

Compliance

barindex
Uses 32bit PE files
Source: SureDI.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Creates a directory in C:\Program Files
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\RigakuJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDIJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.DBDataService.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.DBManager.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Launcher.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Logging.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.MaterialsService.Interface.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.Interface.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Editors.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Interface.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Layers.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Other.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Utils.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\backup_SQLRigaku.cmdJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBMaintenance.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DBBackupFilesJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\database_backup.xmlJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Logging.bakJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Project.bakJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_System.bakJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\LocalSQLserverSettings.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SQLserverConnectionSettings.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.DSCViewerControlLib.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logic.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.DBBrowser.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Interface.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Signature.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.UICommon.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe.configJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe.configJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\HelpJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_EN.pdfJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_JA.pdfJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_EN.pdfJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_JA.pdfJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\jaJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Data.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.DataAccess.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Office.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Pdf.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Printing.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.RichEdit.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Snap.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Sparkline.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Spreadsheet.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Charts.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Controls.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Core.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Docking.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.DocumentViewer.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Grid.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.LayoutControl.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.NavBar.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.PdfViewer.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Printing.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Ribbon.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Spreadsheet.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpo.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.XtraCharts.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Materials.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.MathA.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Sample.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.StressModule.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.SystemExtensions.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.TextureModule.v1.1.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.XrayPhysics.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Editors.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Interface.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Layers.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Other.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Utils.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.CustomDataDialog.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DataBrowserDialog.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DBKeeperLogic.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DSCViewerControlLib.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.DBBrowser.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.UICommon.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ImageViewerControlLib.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.MRInfrastructure.v3.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.DBManager.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Launcher.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Logging.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.UserManager.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.RigakuCommonTools.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.DBDataService.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.Interface.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.SignatureLib.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\SureDI.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\LicenseJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\License\JPJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\License\JP\License.rtfJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\License\ThirdPartyJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\License\ThirdParty\ThirdPartyPrograms.txtJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\License\USJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\License\US\License.rtfJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.Database.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.Interactivity.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.MefExtensions.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.UnityExtensions.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Materials.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.MathA.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Sample.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressMath.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressModule.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.SystemExtensions.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureMath.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureModule.v1.1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.XrayPhysics.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.ImageLib.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.IO.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.RasxLib.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.Communication.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.DataStruct.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Basic.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Film.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Powder.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.xPDF.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SQLQueryJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDBJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\AddDataFileResultFilesInfoConstraint.sqlJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateDataFileResultFilesInfo.sqlJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateTablesMng.sqlJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Ionic.Zip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\MathNet.Numerics.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Newtonsoft.Json.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\PdfSharp-WPF.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\PdfSharp.Xps.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\PluginsCatalog.xamlJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.Interface.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.CustomDataDialog.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.DataBrowserDialog.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBKeeperLogic.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBUPR.DI.v1.0.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.ImageViewerControlLib.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.MRInfrastructure.v3.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.RigakuCommonTools.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.RLPS.DI.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.SignatureLib.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SlimDX.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe.configJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\System.ComponentModel.Composition.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\System.Windows.Interactivity.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\tbb.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\TouchKeyboardNotifier.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\zlib.net.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\UpdateSQL.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\wupi.net.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\WupiEngine64.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\WupiEngineNet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\MonitoredUndo.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.UndoRedoService.Interface.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.UserManager.v4.0.dllJump to behavior
Creates a software uninstall entry
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12226574-52CC-483F-8DB0-E617C91F04D0}Jump to behavior
Creates license or readme file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\License\JP\License.rtfJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\License\US\License.rtfJump to behavior
PE / OLE file has a valid certificate
Source: SureDI.exeStatic PE information: certificate valid
Binary contains paths to debug symbols
Source: Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.Logging\obj\Release\Rigaku.EresSystem.Logging.v1.0.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2930700715.000001C23A0C2000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Newtonsoft.Json.dll.3.dr
Source: Binary string: e:\Builds\EntLib\Latest\Source\Blocks\Logging\Src\Logging\obj\Release\Microsoft.Practices.EnterpriseLibrary.Logging.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934280354.000001C252A22000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: msvcr100.amd64.pdb source: msvcr100.dll.3.dr
Source: Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.UICommon\obj\Release\Rigaku.EresSystem.UICommon.v1.0.pdbE source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.3.dr
Source: Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity\Src\obj\Release\Microsoft.Practices.Unity.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2933982351.000001C2529A2000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity.Interception\Src\obj\Release\Microsoft.Practices.Unity.Interception.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934118534.000001C2529D2000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity.Interception\Src\obj\Release\Microsoft.Practices.Unity.Interception.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934118534.000001C2529D2000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\Desktop\Plugins\DBManager\Source\DBManager\obj\x64\Release\Rigaku.Plugins.DBManager.v4.0.pdb source: Rigaku.Plugins.DBManager.v4.0.dll.3.dr
Source: Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Xpf.Core\DevExpress.Xpf.Core\obj.Wpf\Release\DevExpress.Xpf.Core.v19.2.pdbH! source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source: Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.UICommon\obj\Release\Rigaku.EresSystem.UICommon.v1.0.pdb source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr
Source: Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Mvvm\DevExpress.Mvvm.UI.ApplicationJumpTaskLauncher\obj\Release\DevExpress.Mvvm.UI.ApplicationJumpTaskLauncher.pdb source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source: Binary string: c:\Home\Chris\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation\obj\Release\Microsoft.Practices.ServiceLocation.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2930784627.000001C23A0E2000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Xpf.Core\DevExpress.Xpf.Core\obj.Wpf\Release\DevExpress.Xpf.Core.v19.2.pdb source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb source: SureDI.exe
Source: Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.MonitorService\obj\x64\Release\Rigaku.EresSystem.MonitorService.v1.0.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000000.2105764810.000001C2398F2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: e:\Builds\EntLib\Latest\Source\Blocks\Common\Src\obj\Release\Microsoft.Practices.EnterpriseLibrary.Common.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934567546.000001C252AA2000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdb source: DevExpress.Pdf.v19.2.Core.dll.3.dr
Source: Binary string: C:\Project\develop_v4.5_Rigaku_ERES_SDK\SQLDatabase\Tools\Maintenance\LocalSQLserverSettings\LocalSQLserverSettings\obj\Release\LocalSQLserverSettings.pdb source: LocalSQLserverSettings.exe.3.dr
Source: Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.Monitor\obj\x64\Release\Rigaku.EresSystem.Monitor.v1.0.pdb source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000000.2161411867.00000216E2912000.00000002.00000001.01000000.00000009.sdmp
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_004373F3 __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,0_2_004373F3
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_004373F3 __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,1_2_004373F3
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: Https://go.devexpress.com/Demo_2013_BuyNow.aspxfhttps://go.devexpress.com/Demo_2013_BuyNow_ASP.aspxl
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: Https://go.devexpress.com/Demo_2013_Chat.aspxgHttps://go.devexpress.com/Demo_2013_GetSupport.aspx
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Newtonsoft.Json.dll.3.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://creativecommons.org/ns#
Source: svchost.exe, 0000000F.00000002.2932195097.00000249FAA00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Newtonsoft.Json.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Newtonsoft.Json.dll.3.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Newtonsoft.Json.dll.3.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2931507929.00000216E478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/Rigaku.EresSystem.Monitor.v1.0;component/mainwindow.xaml
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://documentation.devexpress.com/
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2931507929.00000216E478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/mainwindow.baml
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2931507929.00000216E478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/mainwindow.xaml
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://go.devexpress.com/SupportXBAP.aspx
Source: Newtonsoft.Json.dll.3.drString found in binary or memory: http://james.newtonking.com/projects/json
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Newtonsoft.Json.dll.3.drString found in binary or memory: http://ocsp.digicert.com0K
Source: Newtonsoft.Json.dll.3.drString found in binary or memory: http://ocsp.digicert.com0N
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.drString found in binary or memory: http://ocsp.digicert.com0O
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/accordion/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/accordion/themekeyslhttp://schemas.devexpress.com/winf
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/bars
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/bars/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/bars/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/carousel/themekeysjhttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/charts/rangecontrolclient
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/charts/themekeyshhttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/controls/themekeysphttp://schemas.devexpress.com/winfx
Source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core)DevExpress.Xpf.Core.ConditionalFormatting
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core)DevExpress.Xpf.Core.ConditionalFormattingq
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/filteringui
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/filteringui/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/filteringui/themekeysxhttp://schemas.devexpress.c
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/internal0DevExpress.Xpf.Core.ConditionalFormattin
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/themekeys0DevExpress.Xpf.Core.ConditionalFormatti
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/wizardframework
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/wizardframework#DevExpress.Xpf.Core.WizardFramewo
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/core/wizardframeworkvhttp://schemas.devexpress.com/win
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dashboard/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dashboard/themekeys:DevExpress.Xpf.DocumentViewerHDevE
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dataaccess/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dataaccess/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/diagram/internal~http://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/dialogs/internalfhttp://schemas.devexpress.com/winfx/2
Source: Rigaku.CustomDataDialog.v1.0.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/docking
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/docking/platform
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/docking/visualelementsnhttp://schemas.devexpress.com/w
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/documentviewer/themekeysbhttp://schemas.devexpress.com
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr, Rigaku.EresSystem.UICommon.v1.0.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors#DevExpress.Xpf.Editors.RangeControl
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors#DevExpress.Xpf.Editors.RangeControlZ
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors$DevExpress.Xpf.Editors.DateNavigator
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors&DevExpress.Xpf.Editors.Popups.Calendar
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors&DevExpress.Xpf.Editors.Popups.Calendar;
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors)DevExpress.Xpf.Editors.Settings.Extension
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors)DevExpress.Xpf.Editors.Settings.Extensionb
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internal$DevExpress.Xpf.Editors.Flyout.Native
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internal$DevExpress.Xpf.Editors.Flyout.NativeG
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internal-DevExpress.Xpf.Editors.DateNavigator.
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/internalthttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/expressioneditor
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/expressioneditor/internalthttp://schemas.devexpress.co
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/gauges/themekeysbhttp://schemas.devexpress.com/winfx/2
Source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/grid
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/mvvm
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/mvvm/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/mvvm/internal$DevExpress.Mvvm.UI
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/mvvm/internal)DevExpress.Mvvm.UI.Interactivity.Interna
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/navbar/themekeysjhttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/navigation/internalnhttp://schemas.devexpress.com/winf
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/office
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/office/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/office/themekeyslhttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/pivotgrid/internaldhttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/pivotgrid/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printing
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printing/parametersphttp://schemas.devexpress.com/winf
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printing/themekeyszhttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/propertygrid/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/propertygrid/themekeysjhttp://schemas.devexpress.com/w
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner/wizard
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesigner/wizard/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reports/userdesignerextensionsvhttp://schemas.devexpre
Source: DevExpress.Xpf.Core.v19.2.dll.3.dr, Rigaku.Plugins.DBManager.v4.0.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/ribbon
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/ribbon/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/ribbon/themekeyshhttp://schemas.devexpress.com/winfx/2
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/richedit
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/richedit/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/richeditextensionslhttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/scheduler/internalphttp://schemas.devexpress.com/winfx
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/scheduler/themekeys
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/scheduling/themekeyshhttp://schemas.devexpress.com/win
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/spreadsheet/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/spreadsheet/themekeysdhttp://schemas.devexpress.com/wi
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/windowsui/internal
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/windowsui/navigationlhttp://schemas.devexpress.com/win
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/windowsui/themekeys
Source: Rigaku.EresSystem.UICommon.v1.0.dll.3.drString found in binary or memory: http://schemas.rigaku.com/eressystem/uicommon
Source: Rigaku.CustomDataDialog.v1.0.dll.3.drString found in binary or memory: http://schemas.rigaku.com/slsii/infra/customfiledialog
Source: Rigaku.CustomDataDialog.v1.0.dll.3.drString found in binary or memory: http://schemas.rigaku.com/slsii/infra/dscviewerctrl
Source: Rigaku.CustomDataDialog.v1.0.dll.3.drString found in binary or memory: http://schemas.rigaku.com/slsii/infra/imgviewerctrl
Source: Rigaku.Plugins.DBManager.v4.0.dll.3.drString found in binary or memory: http://schemas.rigaku.com/slsii/plugins/dbmanager
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.drString found in binary or memory: http://t2.symcb.com0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.drString found in binary or memory: http://tl.symcd.com0&
Source: DevExpress.Pdf.v19.2.Core.dll.3.drString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: SureDI.exeString found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SureDI.exe, 00000001.00000003.2222889116.0000000000680000.00000004.00000020.00020000.00000000.sdmp, SureDI.exe, 00000001.00000002.2224330579.000000000068D000.00000004.00000020.00020000.00000000.sdmp, SureDI.exe, 00000001.00000003.2223003927.000000000068C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rigaku.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: https://documentation.devexpress.com/#WPF/CustomDocument17469
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: https://documentation.devexpress.com/WPF/11765/Controls-and-Libraries/Data-Grid/Binding-to-Data/Mana
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA933000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA984000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: https://go.devexpress.com/Demo_2013_Competitive_Discounts.aspx_Https://go.devexpress.com/Demo_2013_B
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: https://go.devexpress.com/Demo_2013_Competitive_Discounts.aspxzhttps://go.devexpress.com/Demo_2013_C
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: https://go.devexpress.com/Demo_2013_RegisterTrial.aspx
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000000F.00000003.2247382757.00000249FA8E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.drString found in binary or memory: https://www.devexpress.com/0
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.dr, Newtonsoft.Json.dll.3.drString found in binary or memory: https://www.digicert.com/CPS0
Source: Newtonsoft.Json.dll.3.drString found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.3.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: DevExpress.Xpf.Core.v19.2.dll.3.drString found in binary or memory: https://www.nuget.org/packages/Mono.Cecil/)
Source: Newtonsoft.Json.dll.3.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.drString found in binary or memory: https://www.thawte.com/cps0/
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.drString found in binary or memory: https://www.thawte.com/repository0W

Spam, unwanted Advertisements and Ransom Demands

barindex
Reads the Security eventlog
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\Rigaku.EresSystem.MonitorService.v1.0Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\Rigaku.EresSystem.MonitorService.v1.0Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\Rigaku.EresSystem.MonitorService.v1.0Jump to behavior
Reads the System eventlog
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\Rigaku.EresSystem.MonitorService.v1.0Jump to behavior
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00496296 CryptImportKey,0_2_00496296
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00496320 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,0_2_00496320
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00496296 CryptImportKey,1_2_00496296
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00496320 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,1_2_00496320
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00489993 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,0_2_00489993
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00489993 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,1_2_00489993
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4d26bb.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4d26bc.mstJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{12226574-52CC-483F-8DB0-E617C91F04D0}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI360D.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI36C9.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\msvcr100.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6BC5.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\ARPPRODUCTICON.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8CAC.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4d26be.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4d26be.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\1033.MSTJump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI360D.tmpJump to behavior
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0044A8910_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_004782CB0_2_004782CB
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_004788340_2_00478834
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0040C9800_2_0040C980
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00498C920_2_00498C92
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00408D600_2_00408D60
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0040CDD00_2_0040CDD0
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00478DA40_2_00478DA4
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00468E1E0_2_00468E1E
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00458F380_2_00458F38
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0040D0900_2_0040D090
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_004651200_2_00465120
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0040D3F00_2_0040D3F0
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_004794530_2_00479453
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0040D4760_2_0040D476
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0040D4380_2_0040D438
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_004094820_2_00409482
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0040D4B60_2_0040D4B6
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0040D6000_2_0040D600
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0046E37B0_2_0046E37B
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0049E3000_2_0049E300
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0046A5E90_2_0046A5E9
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0047A8E70_2_0047A8E7
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00462CB00_2_00462CB0
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00472EDD0_2_00472EDD
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0047B0630_2_0047B063
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0046306F0_2_0046306F
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0042F5380_2_0042F538
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00463CC50_2_00463CC5
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0045FE040_2_0045FE04
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00408D601_2_00408D60
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0044A8911_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0042F5381_2_0042F538
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_004782CB1_2_004782CB
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_004788341_2_00478834
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0040C9801_2_0040C980
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00498C921_2_00498C92
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0040CDD01_2_0040CDD0
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00478DA41_2_00478DA4
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00468E1E1_2_00468E1E
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00458F381_2_00458F38
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0040D0901_2_0040D090
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_004651201_2_00465120
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0040D3F01_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_004794531_2_00479453
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0040D4761_2_0040D476
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0040D4381_2_0040D438
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_004094821_2_00409482
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0040D4B61_2_0040D4B6
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0040D6001_2_0040D600
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0046E37B1_2_0046E37B
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0049E3001_2_0049E300
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0046A5E91_2_0046A5E9
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0047A8E71_2_0047A8E7
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00462CB01_2_00462CB0
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00472EDD1_2_00472EDD
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0047B0631_2_0047B063
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0046306F1_2_0046306F
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00463CC51_2_00463CC5
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0045FE041_2_0045FE04
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B64756F10_2_00007FFD9B64756F
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeCode function: 13_2_00007FFD9B63103B13_2_00007FFD9B63103B
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeCode function: 13_2_00007FFD9B63198513_2_00007FFD9B631985
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeCode function: 13_2_00007FFD9B63887913_2_00007FFD9B638879
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: String function: 00402CA0 appears 214 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: String function: 00419D16 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: String function: 00419426 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: String function: 00454718 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: String function: 00452D09 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: String function: 004546AF appears 468 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: String function: 00458540 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: String function: 004115ED appears 115 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: String function: 00452CDB appears 71 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: String function: 004546E2 appears 313 times
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: String function: 004533D0 appears 131 times
Source: C:\Users\user\Desktop\SureDI.exeCode function: String function: 00402CA0 appears 213 times
Source: C:\Users\user\Desktop\SureDI.exeCode function: String function: 00419D16 appears 42 times
Source: C:\Users\user\Desktop\SureDI.exeCode function: String function: 00419426 appears 39 times
Source: C:\Users\user\Desktop\SureDI.exeCode function: String function: 00454718 appears 107 times
Source: C:\Users\user\Desktop\SureDI.exeCode function: String function: 00452D09 appears 57 times
Source: C:\Users\user\Desktop\SureDI.exeCode function: String function: 004546AF appears 468 times
Source: C:\Users\user\Desktop\SureDI.exeCode function: String function: 00458540 appears 42 times
Source: C:\Users\user\Desktop\SureDI.exeCode function: String function: 004115ED appears 113 times
Source: C:\Users\user\Desktop\SureDI.exeCode function: String function: 00452CDB appears 71 times
Source: C:\Users\user\Desktop\SureDI.exeCode function: String function: 004546E2 appears 313 times
Source: C:\Users\user\Desktop\SureDI.exeCode function: String function: 004533D0 appears 131 times
Source: Rigaku.Plugins.DBManager.v4.0.dll.3.drStatic PE information: No import functions for PE file found
Source: Rigaku.Plugins.UserManager.v4.0.dll.3.drStatic PE information: No import functions for PE file found
Source: Rigaku.Plugins.Launcher.v1.0.dll.3.drStatic PE information: No import functions for PE file found
Source: Rigaku.Plugins.Logging.v4.0.dll.3.drStatic PE information: No import functions for PE file found
Source: Rigaku.Services.DBDataService.v4.0.dll.3.drStatic PE information: No import functions for PE file found
Source: SureDI.exe, 00000000.00000000.1663445755.0000000000536000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInstallShield Setup.exe< vs SureDI.exe
Source: SureDI.exe, 00000001.00000002.2224022369.0000000000536000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameInstallShield Setup.exe< vs SureDI.exe
Source: SureDI.exeBinary or memory string: OriginalFilenameInstallShield Setup.exe< vs SureDI.exe
Source: SureDI.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: DevExpress.Xpf.Core.v19.2.dll.3.drBinary or memory string: *.vbproj
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.drBinary or memory string: tXtraSpreadsheetFunctionArgumentDescriptionStringId.SlnLife
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.drBinary or memory string: %lXtraSpreadsheetFunctionArgumentNameStringId.SeriessumN"%lXtraSpreadsheetFunctionArgumentNameStringId.SeriessumX%%lXtraSpreadsheetFunctionArgumentNameStringId.SheetValue(%vXtraSpreadsheetFunctionArgumentNameStringId.SheetsReference-%lXtraSpreadsheetFunctionArgumentNameStringId.SignNumber5%lXtraSpreadsheetFunctionArgumentNameStringId.SinHNumber=%jXtraSpreadsheetFunctionArgumentNameStringId.SinNumberE%nXtraSpreadsheetFunctionArgumentNameStringId.SkewNumber1M%nXtraSpreadsheetFunctionArgumentNameStringId.SkewNumber2V%pXtraSpreadsheetFunctionArgumentNameStringId.SkewPNumber1_%pXtraSpreadsheetFunctionArgumentNameStringId.SkewPNumber2h%fXtraSpreadsheetFunctionArgumentNameStringId.SlnCostq%fXtraSpreadsheetFunctionArgumentNameStringId.SlnLife
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.drBinary or memory string: zXtraSpreadsheetFunctionArgumentDescriptionStringId.SlnSalvage;a
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.drBinary or memory string: %lXtraSpreadsheetFunctionArgumentNameStringId.SlnSalvage
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.drBinary or memory string: \XtraSpreadsheetFunctionDescriptionStringId.Sln
Source: DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.drBinary or memory string: tXtraSpreadsheetFunctionArgumentDescriptionStringId.SlnCost
Source: DevExpress.Xpf.Core.v19.2.dll.3.drBinary or memory string: *.csproj
Source: classification engineClassification label: sus26.evad.winEXE@20/259@0/1
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00489993 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,0_2_00489993
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00489993 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,1_2_00489993
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00450BEB lstrcpyW,GetDiskFreeSpaceExW,0_2_00450BEB
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_004405EF CoCreateInstance,0_2_004405EF
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0048829B __EH_prolog3_GS,LoadResource,0_2_0048829B
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\RigakuJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\Public\Desktop\SureDI.lnkJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeMutant created: NULL
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeMutant created: \Sessions\1\BaseNamedObjects\{63154030-8752-402C-ADD0-9A60549F636B}
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Users\user\Desktop\SureDI.exeFile created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: debuglog0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: Setup.cpp0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: runfromtemp0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: reboot0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: Setup.cpp0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: Setup.cpp0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: l/O0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: %s%s0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: tempdisk1folder0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: eprq0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: ISSetup.dll0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: ISSetup.dll0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: Skin0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: Startup0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: setup.isn0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: count0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: Languages0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: key%d0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: Languages0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: %s\0x%04x.ini0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: %s\0x%04x.ini0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: %s\%04x.mst0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: %s\%04x.mst0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: Setup.cpp0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: clone_wait0_2_0044A891
Source: C:\Users\user\Desktop\SureDI.exeCommand line argument: Setup.cpp0_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: debuglog1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: Setup.cpp1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: runfromtemp1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: reboot1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: Setup.cpp1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: Setup.cpp1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: l/O1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: %s%s1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: tempdisk1folder1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: eprq1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: ISSetup.dll1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: ISSetup.dll1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: Skin1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: Startup1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: setup.isn1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: count1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: Languages1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: key%d1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: Languages1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: %s\0x%04x.ini1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: %s\0x%04x.ini1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: %s\%04x.mst1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: %s\%04x.mst1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: Setup.cpp1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: clone_wait1_2_0044A891
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCommand line argument: Setup.cpp1_2_0044A891
Source: SureDI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SureDI.exeFile read: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\_ISMSIDEL.INIJump to behavior
Source: C:\Users\user\Desktop\SureDI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\SureDI.exeFile read: C:\Users\user\Desktop\SureDI.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SureDI.exe "C:\Users\user\Desktop\SureDI.exe"
Source: C:\Users\user\Desktop\SureDI.exeProcess created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe /q"C:\Users\user\Desktop\SureDI.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}" /IS_temp
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\Rigaku SureDI.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="SureDI.exe"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CDB15B2CE92E28F3B8622149A9799E65 C
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 72C84AB51E330DD7B93C0FC1C98E56AC
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 61343986035DDA98571FD63CB9C8F73D E Global\MSI0000
Source: unknownProcess created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe "C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe"
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 60E1AB94C32A1ADB74E0CFD4F89B3AA8 E Global\MSI0000
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe True
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\SureDI.exeProcess created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe /q"C:\Users\user\Desktop\SureDI.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}" /IS_tempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\Rigaku SureDI.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="SureDI.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CDB15B2CE92E28F3B8622149A9799E65 CJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 72C84AB51E330DD7B93C0FC1C98E56ACJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 61343986035DDA98571FD63CB9C8F73D E Global\MSI0000Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 60E1AB94C32A1ADB74E0CFD4F89B3AA8 E Global\MSI0000Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe TrueJump to behavior
Source: C:\Users\user\Desktop\SureDI.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SureDI.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SureDI.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SureDI.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: riched20.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: usp10.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: winsta.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: mscoree.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: apphelp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: version.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: uxtheme.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: cryptsp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: rsaenh.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: cryptbase.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: dwrite.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: msvcp140_clr0400.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: windows.storage.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: wldp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: profapi.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: wtsapi32.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: winsta.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: powrprof.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: umpdc.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: dwmapi.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: d3d9.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: d3d10warp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: dataexchange.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: d3d11.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: dcomp.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: dxgi.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: twinapi.appcore.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: resourcepolicyclient.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: dxcore.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: textinputframework.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: coremessaging.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: ntmarta.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: coremessaging.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: wintypes.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: wintypes.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: wintypes.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: msctfui.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: uiautomationcore.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: propsys.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: d3dcompiler_47.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: windowscodecs.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32
Source: C:\Users\user\Desktop\SureDI.exeFile written: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\_ISMSIDEL.INIJump to behavior
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: C:\Windows\System32\msiexec.exeAutomated click: I accept the terms in the license agreement
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: C:\Windows\System32\msiexec.exeAutomated click: Install
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\RigakuJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDIJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.DBDataService.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.DBManager.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Launcher.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Logging.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.MaterialsService.Interface.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.Interface.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Editors.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Interface.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Layers.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Other.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Utils.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\backup_SQLRigaku.cmdJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBMaintenance.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DBBackupFilesJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\database_backup.xmlJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Logging.bakJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Project.bakJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_System.bakJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\LocalSQLserverSettings.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SQLserverConnectionSettings.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.DSCViewerControlLib.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logic.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.DBBrowser.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Interface.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Signature.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.UICommon.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe.configJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe.configJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\HelpJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_EN.pdfJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_JA.pdfJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_EN.pdfJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_JA.pdfJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\jaJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Data.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.DataAccess.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Office.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Pdf.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Printing.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.RichEdit.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Snap.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Sparkline.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Spreadsheet.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Charts.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Controls.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Core.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Docking.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.DocumentViewer.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Grid.v19.2.Core.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.LayoutControl.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.NavBar.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.PdfViewer.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Printing.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Ribbon.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Spreadsheet.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpo.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.XtraCharts.v19.2.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Materials.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.MathA.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Sample.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.StressModule.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.SystemExtensions.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.TextureModule.v1.1.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.XrayPhysics.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Editors.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Interface.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Layers.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Other.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Utils.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.v2.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.CustomDataDialog.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DataBrowserDialog.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DBKeeperLogic.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DSCViewerControlLib.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.DBBrowser.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.UICommon.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ImageViewerControlLib.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.MRInfrastructure.v3.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.DBManager.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Launcher.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Logging.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.UserManager.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.RigakuCommonTools.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.DBDataService.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.Interface.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.v4.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.SignatureLib.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\ja\SureDI.v1.0.resources.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\LicenseJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\License\JPJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\License\JP\License.rtfJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\License\ThirdPartyJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\License\ThirdParty\ThirdPartyPrograms.txtJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\License\USJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\License\US\License.rtfJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.Database.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.Interactivity.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.MefExtensions.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.UnityExtensions.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Materials.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.MathA.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Sample.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressMath.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressModule.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.SystemExtensions.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureMath.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureModule.v1.1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.XrayPhysics.v2.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.ImageLib.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.IO.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.RasxLib.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.Communication.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.DataStruct.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Basic.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Film.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Powder.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.xPDF.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SQLQueryJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDBJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\AddDataFileResultFilesInfoConstraint.sqlJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateDataFileResultFilesInfo.sqlJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateTablesMng.sqlJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Ionic.Zip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\MathNet.Numerics.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Newtonsoft.Json.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\PdfSharp-WPF.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\PdfSharp.Xps.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\PluginsCatalog.xamlJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.Interface.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.CustomDataDialog.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.DataBrowserDialog.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBKeeperLogic.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.DBUPR.DI.v1.0.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.ImageViewerControlLib.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.MRInfrastructure.v3.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.RigakuCommonTools.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.RLPS.DI.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.SignatureLib.v1.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SlimDX.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe.configJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\System.ComponentModel.Composition.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\System.Windows.Interactivity.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\tbb.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\TouchKeyboardNotifier.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\zlib.net.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\UpdateSQL.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\wupi.net.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\WupiEngine64.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\WupiEngineNet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\MonitoredUndo.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.UndoRedoService.Interface.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.UserManager.v4.0.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12226574-52CC-483F-8DB0-E617C91F04D0}Jump to behavior
Source: SureDI.exeStatic PE information: certificate valid
Source: SureDI.exeStatic file information: File size 100313696 > 1048576
Source: SureDI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.Logging\obj\Release\Rigaku.EresSystem.Logging.v1.0.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2930700715.000001C23A0C2000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Newtonsoft.Json.dll.3.dr
Source: Binary string: e:\Builds\EntLib\Latest\Source\Blocks\Logging\Src\Logging\obj\Release\Microsoft.Practices.EnterpriseLibrary.Logging.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934280354.000001C252A22000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: msvcr100.amd64.pdb source: msvcr100.dll.3.dr
Source: Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.UICommon\obj\Release\Rigaku.EresSystem.UICommon.v1.0.pdbE source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.3.dr
Source: Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity\Src\obj\Release\Microsoft.Practices.Unity.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2933982351.000001C2529A2000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity.Interception\Src\obj\Release\Microsoft.Practices.Unity.Interception.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934118534.000001C2529D2000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: e:\Builds\Unity\UnityTemp\Compile\Unity\Unity.Interception\Src\obj\Release\Microsoft.Practices.Unity.Interception.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934118534.000001C2529D2000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\Desktop\Plugins\DBManager\Source\DBManager\obj\x64\Release\Rigaku.Plugins.DBManager.v4.0.pdb source: Rigaku.Plugins.DBManager.v4.0.dll.3.dr
Source: Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Xpf.Core\DevExpress.Xpf.Core\obj.Wpf\Release\DevExpress.Xpf.Core.v19.2.pdbH! source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source: Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.UICommon\obj\Release\Rigaku.EresSystem.UICommon.v1.0.pdb source: Rigaku.EresSystem.UICommon.v1.0.dll.3.dr
Source: Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Mvvm\DevExpress.Mvvm.UI.ApplicationJumpTaskLauncher\obj\Release\DevExpress.Mvvm.UI.ApplicationJumpTaskLauncher.pdb source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source: Binary string: c:\Home\Chris\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation\obj\Release\Microsoft.Practices.ServiceLocation.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2930784627.000001C23A0E2000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\XPF\DevExpress.Xpf.Core\DevExpress.Xpf.Core\obj.Wpf\Release\DevExpress.Xpf.Core.v19.2.pdb source: DevExpress.Xpf.Core.v19.2.dll.3.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb source: SureDI.exe
Source: Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.MonitorService\obj\x64\Release\Rigaku.EresSystem.MonitorService.v1.0.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000000.2105764810.000001C2398F2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: e:\Builds\EntLib\Latest\Source\Blocks\Common\Src\obj\Release\Microsoft.Practices.EnterpriseLibrary.Common.pdb source: Rigaku.EresSystem.MonitorService.v1.0.exe, 0000000A.00000002.2934567546.000001C252AA2000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: c:\projects\19.2\BuildLabel\Temp\NetStudio.v19.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdb source: DevExpress.Pdf.v19.2.Core.dll.3.dr
Source: Binary string: C:\Project\develop_v4.5_Rigaku_ERES_SDK\SQLDatabase\Tools\Maintenance\LocalSQLserverSettings\LocalSQLserverSettings\obj\Release\LocalSQLserverSettings.pdb source: LocalSQLserverSettings.exe.3.dr
Source: Binary string: C:\Projects\develop_v4.5_Rigaku_ERES_SDK\RigakuEresSystem\Rigaku.EresSystem.Monitor\obj\x64\Release\Rigaku.EresSystem.Monitor.v1.0.pdb source: Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000000.2161411867.00000216E2912000.00000002.00000001.01000000.00000009.sdmp
Source: Rigaku.Plugins.Launcher.v1.0.dll.3.drStatic PE information: 0x916A16A1 [Tue Apr 23 16:15:29 2047 UTC]
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00450F18 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17,0_2_00450F18
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00458585 push ecx; ret 0_2_00458598
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0045467D push ecx; ret 0_2_00454690
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0045CE25 push ebp; ret 0_2_0045CE26
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0045B931 push edi; ret 0_2_0045B933
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0045BA4A push esi; ret 0_2_0045BA4C
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0045BC25 push esi; ret 0_2_0045BC27
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0045BD0E push edi; ret 0_2_0045BD10
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00458585 push ecx; ret 1_2_00458598
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0045467D push ecx; ret 1_2_00454690
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0045CE25 push ebp; ret 1_2_0045CE26
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0045B931 push edi; ret 1_2_0045B933
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0045BA4A push esi; ret 1_2_0045BA4C
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0045BC25 push esi; ret 1_2_0045BC27
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0045BD0E push edi; ret 1_2_0045BD10
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B51D2A5 pushad ; iretd 10_2_00007FFD9B51D2A6
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B63592C push edx; retf 10_2_00007FFD9B6359DB
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B6358F2 push edx; retf 10_2_00007FFD9B6359DB
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B635945 push edx; retf 10_2_00007FFD9B6359DB
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B638123 push ebx; ret 10_2_00007FFD9B63816A
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B644710 push cs; retn 5F9Ch10_2_00007FFD9B64B85F
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B648EE0 pushad ; retf 10_2_00007FFD9B648EF1
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B638DD0 pushad ; ret 10_2_00007FFD9B638E54
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B731B31 push edx; retn 0001h10_2_00007FFD9B731C5C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B730070 push edx; retn 0001h10_2_00007FFD9B73001C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B732800 push edx; retn 0001h10_2_00007FFD9B73285C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B730001 push edx; retn 0001h10_2_00007FFD9B730004
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B730008 push edx; retn 0001h10_2_00007FFD9B73001C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B730410 push edx; retn 0001h10_2_00007FFD9B73042C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B730C10 push edx; retn 0001h10_2_00007FFD9B730CA4
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B734C1F push edx; retn 0001h10_2_00007FFD9B734C1C
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeCode function: 10_2_00007FFD9B732824 push edx; retn 0001h10_2_00007FFD9B73285C
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFDE6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.DBBrowser.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Logging.v4.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureModule.v1.1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.xPDF.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.DBManager.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.DBKeeperLogic.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.MefExtensions.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Ribbon.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Other.v2.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.UICommon.v1.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\wupi.net.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DBKeeperLogic.v4.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Launcher.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.UserManager.v4.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.DBDataService.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.DBMaintenance.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.UnityExtensions.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.NavBar.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\PdfSharp-WPF.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.MRInfrastructure.v3.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.Interface.v4.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Data.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Docking.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Powder.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Other.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.RigakuCommonTools.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.ImageLib.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcr100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.Interface.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Printing.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ImageViewerControlLib.v1.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\TouchKeyboardNotifier.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.CustomDataDialog.v1.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.SystemExtensions.v2.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressMath.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.v4.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.LayoutControl.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\tbb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.MathA.v2.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Snap.v19.2.Core.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.RLPS.DI.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\LocalSQLserverSettings.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.UndoRedoService.Interface.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.RasxLib.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.DBUPR.DI.v1.0.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DSCViewerControlLib.v1.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.XrayPhysics.v2.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\zlib.net.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Sample.v2.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.DSCViewerControlLib.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.RigakuCommonTools.v1.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6BC5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.SignatureLib.v1.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.ImageViewerControlLib.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Film.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.UICommon.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.DocumentViewer.v19.2.Core.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressModule.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\WupiEngineNet.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Charts.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.MathA.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.UserManager.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\SureDI.v1.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Services.MaterialsService.Interface.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Core.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Launcher.v1.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.RichEdit.v19.2.Core.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\SlimDX.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Materials.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\MathNet.Numerics.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Materials.v2.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.SignatureLib.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\ARPPRODUCTICON.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Editors.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Newtonsoft.Json.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Layers.v2.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Printing.v19.2.Core.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.Communication.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logic.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.DataStruct.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.DataBrowserDialog.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.v1.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Interface.v2.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\UpdateSQL.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Sparkline.v19.2.Core.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Basic.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Layers.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Spreadsheet.v19.2.Core.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Spreadsheet.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.SystemExtensions.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureMath.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.DBDataService.v4.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.DBManager.v4.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Interface.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Sample.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Office.v19.2.Core.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Utils.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.DataAccess.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.APF.XrayPhysics.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Controls.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.TextureModule.v1.1.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpo.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Editors.v2.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI360D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.Database.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Grid.v19.2.Core.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\WupiEngine64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.Interface.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\MonitoredUndo.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.DataBrowserDialog.v1.0.resources.dllJump to dropped file
Source: C:\Users\user\Desktop\SureDI.exeFile created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.MRInfrastructure.v3.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\SQLserverConnectionSettings.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Signature.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.PdfViewer.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\System.ComponentModel.Composition.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.XtraCharts.v19.2.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.StressModule.v1.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.Interactivity.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.v2.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Logging.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.CustomDataDialog.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Ionic.Zip.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Utils.v2.0.resources.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\wac36A9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.DBBrowser.v1.0.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8CAC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.IO.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\ja\DevExpress.Pdf.v19.2.Core.resources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\System.Windows.Interactivity.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Interface.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\PdfSharp.Xps.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\ARPPRODUCTICON.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6BC5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI360D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcr100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8CAC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\License\JP\License.rtfJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Rigaku\SureDI\License\US\License.rtfJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RigakuJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rigaku\SureDIJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rigaku\SureDI\SureDI.lnkJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00458F38 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00458F38
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeMemory allocated: 1C239D00000 memory reserve | memory write watchJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeMemory allocated: 1C2522E0000 memory reserve | memory write watchJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeMemory allocated: 216E2C70000 memory reserve | memory write watch
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeMemory allocated: 216FC6F0000 memory reserve | memory write watch
Source: C:\Windows\System32\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeWindow / User API: threadDelayed 3790Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeWindow / User API: threadDelayed 6036Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeWindow / User API: threadDelayed 4932
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeWindow / User API: threadDelayed 4974
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.UICommon.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressModule.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\WupiEngineNet.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFDE6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.MathA.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.DBBrowser.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.UserManager.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureModule.v1.1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.xPDF.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.MaterialsService.Interface.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\SlimDX.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.DBManager.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Materials.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\MathNet.Numerics.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DBKeeperLogic.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.SignatureLib.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\ARPPRODUCTICON.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.MefExtensions.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Editors.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Newtonsoft.Json.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\wupi.net.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.Communication.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logic.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.DataStruct.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DataBrowserDialog.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\UpdateSQL.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Basic.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Layers.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.SystemExtensions.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Launcher.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureMath.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Interface.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.DBDataService.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DBMaintenance.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.UnityExtensions.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.Sample.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\PdfSharp-WPF.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.MRInfrastructure.v3.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Utils.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.XrayPhysics.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Powder.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.RigakuCommonTools.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Other.v2.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI360D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.ImageLib.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\msvcr100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.Database.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.Interface.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\WupiEngine64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.Interface.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\TouchKeyboardNotifier.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\MonitoredUndo.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressMath.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\SQLserverConnectionSettings.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Signature.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\System.ComponentModel.Composition.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\tbb.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.Interactivity.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Logging.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.RLPS.DI.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\LocalSQLserverSettings.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.CustomDataDialog.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Ionic.Zip.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Services.UndoRedoService.Interface.v4.0.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wac36A9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.RasxLib.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8CAC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DBUPR.DI.v1.0.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.IO.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\zlib.net.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\System.Windows.Interactivity.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.DSCViewerControlLib.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6BC5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.ImageViewerControlLib.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Film.v1.0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\PdfSharp.Xps.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Interface.v2.0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeEvaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\SureDI.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-68406
Source: C:\Users\user\Desktop\SureDI.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-69465
Source: C:\Users\user\Desktop\SureDI.exeAPI coverage: 8.6 %
Source: C:\Windows\System32\msiexec.exe TID: 8052Thread sleep count: 5816 > 30Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 8052Thread sleep count: 3934 > 30Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 8068Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe TID: 8180Thread sleep count: 3790 > 30Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe TID: 8180Thread sleep count: 6036 > 30Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe TID: 6016Thread sleep time: -27670116110564310s >= -30000sJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe TID: 6016Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe TID: 792Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2944Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_004373F3 __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,0_2_004373F3
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_004373F3 __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,1_2_004373F3
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0048C06D GetModuleHandleW,GetProcAddress,GetSystemInfo,GetNativeSystemInfo,0_2_0048C06D
Source: C:\Windows\System32\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeThread delayed: delay time: 922337203685477
Source: SureDI.exeBinary or memory string: 2hgFs
Source: svchost.exe, 0000000F.00000002.2932351016.00000249FAA54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2930591574.00000249F542A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\SureDI.exeAPI call chain: ExitProcess graph end nodegraph_0-68407
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00456645 IsDebuggerPresent,0_2_00456645
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0046723E EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0046723E
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00450F18 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17,0_2_00450F18
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00412E9E GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,_strlen,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,0_2_00412E9E
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_0046270D SetUnhandledExceptionFilter,0_2_0046270D
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00462730 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00462730
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_0046270D SetUnhandledExceptionFilter,1_2_0046270D
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: 1_2_00462730 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00462730
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\SureDI.exeProcess created: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe /q"C:\Users\user\Desktop\SureDI.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}" /IS_tempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeProcess created: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe TrueJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess created: C:\Windows\System32\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\local\temp\{acb5abde-1955-466a-9c3a-b1fff8bb5cfb}\rigaku suredi.msi" transforms="c:\users\user\appdata\local\temp\{acb5abde-1955-466a-9c3a-b1fff8bb5cfb}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="suredi.exe"
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeProcess created: C:\Windows\System32\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\local\temp\{acb5abde-1955-466a-9c3a-b1fff8bb5cfb}\rigaku suredi.msi" transforms="c:\users\user\appdata\local\temp\{acb5abde-1955-466a-9c3a-b1fff8bb5cfb}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="suredi.exe"Jump to behavior
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00449455 __EH_prolog3_GS,_memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,SetEntriesInAclW,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,0_2_00449455
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00486444 __EH_prolog3_GS,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,_memset,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetTempPathW,0_2_00486444
Source: SureDI.exeBinary or memory string: Shell_TrayWnd
Source: SureDI.exeBinary or memory string: BTahomaShell_TrayWnd0x0409TjK
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00458171 cpuid 0_2_00458171
Source: C:\Users\user\Desktop\SureDI.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,0_2_0045087D
Source: C:\Users\user\Desktop\SureDI.exeCode function: GetLocaleInfoW,0_2_00450902
Source: C:\Users\user\Desktop\SureDI.exeCode function: IsProcessorFeaturePresent,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,0_2_004589D8
Source: C:\Users\user\Desktop\SureDI.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,GetLocaleInfoW,0_2_00476474
Source: C:\Users\user\Desktop\SureDI.exeCode function: EnumSystemLocalesW,0_2_004766E4
Source: C:\Users\user\Desktop\SureDI.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_00476740
Source: C:\Users\user\Desktop\SureDI.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_004767BD
Source: C:\Users\user\Desktop\SureDI.exeCode function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,0_2_00476840
Source: C:\Users\user\Desktop\SureDI.exeCode function: GetLocaleInfoW,0_2_00476A33
Source: C:\Users\user\Desktop\SureDI.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00476B5B
Source: C:\Users\user\Desktop\SureDI.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_00476C08
Source: C:\Users\user\Desktop\SureDI.exeCode function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,0_2_00476CDC
Source: C:\Users\user\Desktop\SureDI.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_00467A41
Source: C:\Users\user\Desktop\SureDI.exeCode function: EnumSystemLocalesW,0_2_00467C20
Source: C:\Users\user\Desktop\SureDI.exeCode function: GetLocaleInfoW,0_2_00467CA6
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,1_2_0045087D
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: GetLocaleInfoW,1_2_00450902
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: IsProcessorFeaturePresent,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,1_2_004589D8
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,GetLocaleInfoW,1_2_00476474
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: EnumSystemLocalesW,1_2_004766E4
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,1_2_00476740
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,1_2_004767BD
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,1_2_00476840
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: GetLocaleInfoW,1_2_00476A33
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_00476B5B
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: GetLocaleInfoW,_GetPrimaryLen,1_2_00476C08
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,1_2_00476CDC
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,1_2_00467A41
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: EnumSystemLocalesW,1_2_00467C20
Source: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exeCode function: GetLocaleInfoW,1_2_00467CA6
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetSecurity\Microsoft.Windows.Firewall.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0312~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeQueries volume information: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe VolumeInformationJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeQueries volume information: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll VolumeInformationJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeQueries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dll VolumeInformationJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeQueries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dll VolumeInformationJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeQueries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dll VolumeInformationJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeQueries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dll VolumeInformationJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeQueries volume information: C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dll VolumeInformationJump to behavior
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00446536 __EH_prolog3_GS,GetLocalTime,SystemTimeToVariantTime,0_2_00446536
Source: C:\Users\user\Desktop\SureDI.exeCode function: 0_2_00430B5D __EH_prolog3_GS,GetVersionExW,_wcscmp,_wcscmp,0_2_00430B5D
Source: C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		4
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services11
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter		11
Windows Service		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over Bluetooth1
System Shutdown/Reboot
Email AddressesDNS ServerDomain AccountsAt1
Registry Run Keys / Startup Folder		11
Windows Service		2
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook12
Process Injection		1
Timestomp		NTDS47
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		LSA Secrets41
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items23
Masquerading		DCSync41
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
Virtualization/Sandbox Evasion		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1523277 Sample: SureDI.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 26 6 msiexec.exe 248 265 2->6         started        9 Rigaku.EresSystem.MonitorService.v1.0.exe 2 4 2->9         started        12 SureDI.exe 6 2->12         started        14 svchost.exe 2->14         started        dnsIp3 38 Rigaku.EresSystem....torService.v1.0.exe, PE32+ 6->38 dropped 40 Rigaku.EresSystem....ice.v1.0.exe.config, XML 6->40 dropped 42 C:\Windows\System32\msvcr100.dll, PE32+ 6->42 dropped 46 188 other files (none is malicious) 6->46 dropped 17 msiexec.exe 27 6->17         started        20 msiexec.exe 1 6->20         started        23 msiexec.exe 6->23         started        25 msiexec.exe 6->25         started        54 Reads the Security eventlog 9->54 56 Reads the System eventlog 9->56 27 Rigaku.EresSystem.Monitor.v1.0.exe 9->27         started        44 C:\Users\user\AppData\Local\...\SureDI.exe, PE32 12->44 dropped 29 SureDI.exe 1 8 12->29         started        50 127.0.0.1 unknown unknown 14->50 file4 signatures5 process6 file7 52 Loading BitLocker PowerShell Module 17->52 36 C:\Users\user\AppData\Local\...\wac36A9.tmp, PE32+ 20->36 dropped 31 msiexec.exe 6 29->31         started        34 explorer.exe 29->34         started        signatures8 process9 file10 48 C:\Users\user\AppData\Local\...\MSIFDE6.tmp, PE32 31->48 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SureDI.exe0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exe0%ReversingLabs
C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exe1%VirustotalBrowse
C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dll0%VirustotalBrowse
C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dll0%VirustotalBrowse
C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dll0%VirustotalBrowse
C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dll0%VirustotalBrowse
C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dll0%VirustotalBrowse
C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dll0%VirustotalBrowse
C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dll0%VirustotalBrowse
C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dll0%VirustotalBrowse
C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dll0%VirustotalBrowse
C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dll0%VirustotalBrowse
C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dll0%VirustotalBrowse
C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dll0%ReversingLabs
C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.fontbureau.com/designersG0%URL Reputationsafe
http://www.fontbureau.com/designersG0%URL Reputationsafe
http://www.fontbureau.com/designers/?0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.fontbureau.com/designers?0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.fontbureau.com/designers0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.fonts.com0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.fontbureau.com0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.fontbureau.com/designers80%URL Reputationsafe
http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d0%VirustotalBrowse
https://g.live.com/odclientsettings/ProdV2.C:0%VirustotalBrowse
http://www.rigaku.com0%VirustotalBrowse
https://g.live.com/odclientsettings/Prod.C:0%VirustotalBrowse
http://schemas.rigaku.com/slsii/infra/dscviewerctrl0%VirustotalBrowse
https://www.newtonsoft.com/json0%VirustotalBrowse
http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
http://www.aiim.org/pdfa/ns/id/0%VirustotalBrowse
http://schemas.rigaku.com/slsii/infra/imgviewerctrl0%VirustotalBrowse
https://g.live.com/odclientsettings/ProdV20%VirustotalBrowse
http://schemas.rigaku.com/slsii/plugins/dbmanager0%VirustotalBrowse
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c960%VirustotalBrowse
http://james.newtonking.com/projects/json0%VirustotalBrowse
http://schemas.rigaku.com/slsii/infra/customfiledialog0%VirustotalBrowse
https://www.thawte.com/cps0/0%VirustotalBrowse
http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd0%VirustotalBrowse
http://schemas.rigaku.com/eressystem/uicommon0%VirustotalBrowse
https://www.newtonsoft.com/jsonschema0%VirustotalBrowse
https://www.thawte.com/repository0W0%VirustotalBrowse
http://creativecommons.org/ns#0%VirustotalBrowse
https://www.nuget.org/packages/Newtonsoft.Json.Bson0%VirustotalBrowse
http://www.inkscape.org/namespaces/inkscape0%VirustotalBrowse
https://www.nuget.org/packages/Mono.Cecil/)0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.fontbureau.com/designersGRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers/?Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.founder.com.cn/cn/bTheRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers?Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.tiro.comRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 0000000F.00000003.2247382757.00000249FA933000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA984000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2247382757.00000249FA978000.00000004.00000800.00020000.00000000.sdmpfalseunknown
https://www.newtonsoft.com/jsonNewtonsoft.Json.dll.3.drfalseunknown
http://www.fontbureau.com/designersRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%dSureDI.exefalseunknown
http://www.goodfont.co.krRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://schemas.rigaku.com/slsii/infra/dscviewerctrlRigaku.CustomDataDialog.v1.0.dll.3.drfalseunknown
http://www.sajatypeworks.comRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.typography.netDRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://g.live.com/odclientsettings/Prod.C:svchost.exe, 0000000F.00000003.2247382757.00000249FA8E6000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://www.founder.com.cn/cn/cTheRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.galapagosdesign.com/staff/dennis.htmRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://g.live.com/odclientsettings/ProdV2svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://foo/mainwindow.xamlRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2931507929.00000216E478C000.00000004.00000800.00020000.00000000.sdmpfalse
    		unknown
    http://www.rigaku.comSureDI.exe, 00000001.00000003.2222889116.0000000000680000.00000004.00000020.00020000.00000000.sdmp, SureDI.exe, 00000001.00000002.2224330579.000000000068D000.00000004.00000020.00020000.00000000.sdmp, SureDI.exe, 00000001.00000003.2223003927.000000000068C000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    http://www.galapagosdesign.com/DPleaseRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.fonts.comRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.sandoll.co.krRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.urwpp.deDPleaseRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.zhongyicts.com.cnRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.sakkal.comRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmpfalse
      		unknown
      http://www.apache.org/licenses/LICENSE-2.0Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalseunknown
      http://www.fontbureau.comRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.aiim.org/pdfa/ns/id/DevExpress.Pdf.v19.2.Core.dll.3.drfalseunknown
      http://crl.ver)svchost.exe, 0000000F.00000002.2932195097.00000249FAA00000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        http://schemas.rigaku.com/slsii/infra/imgviewerctrlRigaku.CustomDataDialog.v1.0.dll.3.drfalseunknown
        http://james.newtonking.com/projects/jsonNewtonsoft.Json.dll.3.drfalseunknown
        http://schemas.rigaku.com/slsii/infra/customfiledialogRigaku.CustomDataDialog.v1.0.dll.3.drfalseunknown
        http://creativecommons.org/ns#DevExpress.Xpf.Core.v19.2.dll.3.drfalseunknown
        http://schemas.rigaku.com/slsii/plugins/dbmanagerRigaku.Plugins.DBManager.v4.0.dll.3.drfalseunknown
        http://www.carterandcone.comlRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com/designers/cabarga.htmlNRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://foo/bar/mainwindow.bamlRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2931507929.00000216E478C000.00000004.00000800.00020000.00000000.sdmpfalse
          		unknown
          http://www.founder.com.cn/cnRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers/frere-user.htmlRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 0000000F.00000003.2247382757.00000249FA952000.00000004.00000800.00020000.00000000.sdmpfalseunknown
          https://www.thawte.com/cps0/DevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.drfalseunknown
          http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtdDevExpress.Xpf.Core.v19.2.dll.3.drfalseunknown
          http://schemas.rigaku.com/eressystem/uicommonRigaku.EresSystem.UICommon.v1.0.dll.3.drfalseunknown
          https://www.thawte.com/repository0WDevExpress.Spreadsheet.v19.2.Core.resources.dll.3.dr, DevExpress.Snap.v19.2.Core.resources.dll.3.dr, DevExpress.Xpf.Core.v19.2.dll.3.dr, DevExpress.Sparkline.v19.2.Core.resources.dll.3.dr, DevExpress.Pdf.v19.2.Core.dll.3.drfalseunknown
          http://www.jiyu-kobo.co.jp/Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.newtonsoft.com/jsonschemaNewtonsoft.Json.dll.3.drfalseunknown
          http://defaultcontainer/Rigaku.EresSystem.Monitor.v1.0;component/mainwindow.xamlRigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2931507929.00000216E478C000.00000004.00000800.00020000.00000000.sdmpfalse
            		unknown
            https://www.nuget.org/packages/Mono.Cecil/)DevExpress.Xpf.Core.v19.2.dll.3.drfalseunknown
            http://www.fontbureau.com/designers8Rigaku.EresSystem.Monitor.v1.0.exe, 0000000D.00000002.2929819573.0000021681022000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.nuget.org/packages/Newtonsoft.Json.BsonNewtonsoft.Json.dll.3.drfalseunknown
            http://www.inkscape.org/namespaces/inkscapeDevExpress.Xpf.Core.v19.2.dll.3.drfalseunknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious

            Private

            IP
            127.0.0.1

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1523277
            Start date and time:2024-10-01 12:18:23 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 10m 20s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:17
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:SureDI.exe
            Detection:SUS
            Classification:sus26.evad.winEXE@20/259@0/1
            EGA Information:
            • Successful, ratio: 50%
            HCA Information:
            • Successful, ratio: 86%
            • Number of executed functions: 45
            • Number of non-executed functions: 342
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 184.28.90.27
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target Rigaku.EresSystem.Monitor.v1.0.exe, PID 6924 because it is empty
            • Execution Graph export aborted for target Rigaku.EresSystem.MonitorService.v1.0.exe, PID 8140 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtSetInformationFile calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            06:19:51API Interceptor40x Sleep call for process: msiexec.exe modified
            06:19:57API Interceptor226354x Sleep call for process: Rigaku.EresSystem.MonitorService.v1.0.exe modified
            06:20:11API Interceptor2x Sleep call for process: svchost.exe modified
            06:20:41API Interceptor233394x Sleep call for process: Rigaku.EresSystem.Monitor.v1.0.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Config.Msi\4d26bd.rbs

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:data
            Category:dropped
            Size (bytes):381917
            Entropy (8bit):6.168201549880252
            Encrypted:false
            SSDEEP:3072:LcB+bVckShH1Qy0GX2ay5BToHgL67PFdSo2+EnArvigH7vJyoEQumVqonYKWyRpY:LcMSHQy9yHTOu+PFgo2bANzsoQ+G
            MD5:4D3B0F259BF6AFD13A0CEF43598257B6
            SHA1:6C402EC20FD137387D5D8C9D04A78419239FB4B6
            SHA-256:5FD8967BDB3D26D681344131DE354C3C1B0FB65F5DF53FDD59E533610E0EE282
            SHA-512:B2CE76A6924B8AE2BEE8791F157400B73B1BF3541530268FEE8D97B0B26D9A2A9BAB9AABF5D83B88A019F08DCFE7D21042ECDA9ED0258599D11D69453B065A00
            Malicious:false
            Reputation:low
            Preview:...@IXOS.@.....@s2AY.@.....@.....@.....@.....@.....@......&.{12226574-52CC-483F-8DB0-E617C91F04D0}..Rigaku SureDI..Rigaku SureDI.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{51A2CE23-9920-4B37-A131-F84FF84F0C0E}.....@.....@.....@.....@.......@.....@.....@.......@......Rigaku SureDI......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{7BDD2407-5B3B-4A1E-B7D3-0D77EA14F0DE}&.{12226574-52CC-483F-8DB0-E617C91F04D0}.@......&.{F5EA3BFD-84A7-44F6-9EC1-6AE17B144558}&.{12226574-52CC-483F-8DB0-E617C91F04D0}.@......&.{27AA3830-2F09-4373-A4DA-B451D96BFA29}&.{12226574-52CC-483F-8DB0-E617C91F04D0}.@......&.{6EDD79DC-EF94-42D4-8298-3F945FA68E90}&.{12226574-52CC-483F-8DB0-E617C91F04D0}.@......&.{41BC3AC2-727C-4588-B3F8-E2E703BF1651}&.{12226574-52CC-483F-8DB0-E617C91F04D0}.@......&.{4B1B521F-A83F-4931-8349-7AD494C171EB}&.{12226574-52CC-483F-8DB0-E617C91F04D0}.@......&.{FA9B8271-A17D-4AC6-BF35-02E8F524

            C:\Program Files\Rigaku\SureDI\CreateSQLServerDatabase.exe

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):22528
            Entropy (8bit):5.364271863172382
            Encrypted:false
            SSDEEP:384:h2TZpFBvX1vTpH8DlGWNcZmQNlrNaXYFMFhMOoJYaptYcFwVc03K:h2tpFBvj4jUaoFKnutYcFwVc6K
            MD5:474E57E9810961FA1B8862B28361BC8A
            SHA1:B317C6D20FB726664626BDF2146FDFD83CFCD52D
            SHA-256:D1832EC173428521E857418AE5FBC8BE5DA592CA5B8C83A4769EFFB6F73C6D5F
            SHA-512:263E5C55A1CD5F4112C645B64FE95157B33528B9AE98454149286A1A914B3FE728B023C711E89FA7293F15CE868308C56B55E4B09F76FBE0D57C34FF4442EFA0
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 1%, Browse
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..B..........V`... ........@.. ....................................`..................................`..O...................................(_..8............................................ ............... ..H............text...\@... ...B.................. ..`.rsrc................D..............@..@.reloc...............V..............@..B................8`......H........0...'...........X..x.............................................~....}.....(.....(.....r...ps....}.....{...........s....o....*.0...........{....o....--.{....(....o.....{....(....o.....{.....o....*.{....(....o.....{....(....o.....{.....{....r...po....o......,...%.r3..p...{....o......( ...-;...o!.......,Z.....1...%.. .o".....{....r9..p...(#...o....*.{....( ...o.....{....(....o.....{.....o....**....0..B........{....o$....o%...&.{....o&....{.....{....o$...o'....Yo(.....

            C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Logging.bak

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Windows NTbackup archive NT, with file catalog, soft size 8*512, software (0x1200): Microsoft SQL Server
            Category:dropped
            Size (bytes):3534848
            Entropy (8bit):2.7703261466882165
            Encrypted:false
            SSDEEP:12288:/xHZ8WRL7JWzdu6M5emNNiEcAHrpdlGFFF/lcvj:/x59RRcWem0E3lGxlcj
            MD5:D9ABC5F19011DDDF2EF3CC084B4C14AD
            SHA1:FED7ADB5BF4BE0B54AE13400C7F4404B40D7B186
            SHA-256:1206CD45CE5F1FE6E886E307C7E9AE389D257A7884872C393F9F363AB0D146C6
            SHA-512:0AEDD6E5A6604C7D7BACC1BB15E20DD841BA4972DB58A9D0D778AD091B496AD142B923AFB1C93E31E685EBC3144F4C257B51BABFB0A3A00C84B9DBE8B94C79E3
            Malicious:false
            Preview:TAPE................................................(D..........................,.^..........M.i.c.r.o.s.o.f.t. .S.Q.L. .S.e.r.v.e.r.......RAID.... ...........;.0...P..E.U..N....................SPAD....&...........4...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_Project.bak

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Windows NTbackup archive NT, with file catalog, soft size 8*512, software (0x1200): Microsoft SQL Server
            Category:dropped
            Size (bytes):4005888
            Entropy (8bit):2.856592675644773
            Encrypted:false
            SSDEEP:12288:YpHmcDIqRM6P2FuKzduAsnj6zqAU8H71aFkqm6BjCln+UhnN:YpPDRM6P2EYeGzXU8AmaGltN
            MD5:5FEDFF5E6B27EEDB3F3A7122E72AA01C
            SHA1:D952E9E7911A83B2EDE49586FF2E51F69F26B8C8
            SHA-256:0FEFC1E2BF7667A03A543F0833290605A6B688A563A3F4C1AE8A1E1B0A857E12
            SHA-512:79B86631EF7CEF366186F325AC756A533FA265E35DBCF0893B3AA2404533ED9C3696EAB399E5F9039657E81E1D672C62D0D0DFDCCAC380187C204EFCEEC181CA
            Malicious:false
            Preview:TAPE................................................M=.2........................,.^..........M.i.c.r.o.s.o.f.t. .S.Q.L. .S.e.r.v.e.r.......RAID.... ...........;.^L..C.I.......N..................SPAD....&...........4...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\DBBackupFiles\RigakuDB_System.bak

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Windows NTbackup archive NT, with file catalog, soft size 8*512, software (0x1200): Microsoft SQL Server
            Category:dropped
            Size (bytes):3993600
            Entropy (8bit):2.81326160814854
            Encrypted:false
            SSDEEP:12288:cGcfXpiGlCH4tydRTgu9c2zdu4i9qO0r0oe9c4G1cfXpSoR98vEp+liEruas:cTlCqMR99c8S9qy9FR92liKo
            MD5:67CDDB845071AB94B80D50FE6580186B
            SHA1:3019FD303FB8EA1958D61251B62F72F23E629DF0
            SHA-256:398105C3B8412ECAFA50AB265D9C71381C1851B6780E9A22C5BEC6E816E87A7B
            SHA-512:AF93EC729782A654A4746B29F2F6BB21E6E524DFD0A13792916AA39BF34F2B23F09F6F4362FFEB83EDF8814D7D77F48584F148A912A7FBD6C1C09DCC4479983C
            Malicious:false
            Preview:TAPE.................................................7.6........................,.^..........M.i.c.r.o.s.o.f.t. .S.Q.L. .S.e.r.v.e.r.......RAID.... ...........;.b...!..N...xV.z..................SPAD....&...........4...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\DBBackupFiles\database_backup.xml

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):5396
            Entropy (8bit):5.000775216075916
            Encrypted:false
            SSDEEP:96:N454ztgnRrsmflsbsqsJ0sUsGrsG6sJscsdsysfbCWsC6+O2lBsys7sXseXgAXq3:NsSML9s1PZ5r56MV8t4NNNeg3aQZYwe
            MD5:CC2B2FD0E0DA1FC052BEA047178B9CA9
            SHA1:3FB07A562B2C7717640A36E6EF4CCCABFE025DC6
            SHA-256:60EFAD71F0AFDEE750CC43DA98167D1CA550656FBD9E2A6E581829C99C646400
            SHA-512:07F455B9C35CB90E3638C7BABE4F579E9F4705E3C12F7B506E74A9E3A6D84A6A53DECDA4220E09445DA6C014E6FB2E617FE5CFBE92808ECBE428270B4D10665E
            Malicious:false
            Preview:.<?xml version="1.0" encoding="utf-8"?>..<DatabaseBackup xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <RigakuDB_Logging HashCode="1206cd45ce5f1fe6e886e307c7e9ae389d257a7884872c393f9f363ab0d146c6" DiskUsageMB="5.01" DBSizeMB="0.01" FileSizeMB="3.37">RigakuDB_Logging.bak</RigakuDB_Logging>.. <RigakuDB_Project HashCode="0fefc1e2bf7667a03a543f0833290605a6b688a563a3f4c1ae8a1e1b0a857e12" DiskUsageMB="5.01" DBSizeMB="0.01" FileSizeMB="3.82">RigakuDB_Project.bak</RigakuDB_Project>.. <RigakuDB_System HashCode="398105c3b8412ecafa50ab265d9c71381c1851b6780e9a22c5bec6e816e87a7b" DiskUsageMB="5.01" DBSizeMB="0.09" FileSizeMB="3.81">RigakuDB_System.bak</RigakuDB_System>.. <DatabaseTablesMngInfo>.. <TablesMng DatabaseName="RigakuDB_Logging">.. <TableInfo TableName="AuditTrailInfo" TableVersion="1" TableCreated="" TableModified="" TableExists="True" />.. <TableInfo TableName="LogInfo" TableVersion="1" TableCreated="" TableModif

            C:\Program Files\Rigaku\SureDI\DevExpress.Charts.v19.2.Core.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):884504
            Entropy (8bit):6.079615871478404
            Encrypted:false
            SSDEEP:12288:OUvz3T7cWPUW1kiguUm/JEQDizOoyUovVxFmd9gIWMo9qsGpk5O8F1X29SfFiNA2:OUvxFWc/oyUOPZ9qsP1QSfFjRY
            MD5:0D068D7EBC19211F1DE71008445C63AB
            SHA1:A56BF03656C6AC357D59E3E2148A91312432D371
            SHA-256:AE061EFBB50808BE4C69965CB3962C2A36F0C8F462CDD9DEBB19DF1F664B48A8
            SHA-512:1F01E77C53C96F63344346D7B02F3B8C28B1E7BF4DD577E502425BCBEEF341D012C1B34CF04E258EDFC16F622CF8B36DA8140BD4F1F3BE1097AE698E80179247
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h.!..........." ..0..Z...........v... ........... ....................................`..................................v..O....................d...............u..8............................................ ............... ..H............text....X... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B.................v......H...........(...................@u......................................2.{....ox...*2.{....oy...*>.{....oz......*2.{....o{...*2.{....o|...*.0..q.........T...T.op...-.*..o......o.......op....Y1..-.*..T..o......o.......0..-...T*..op....Y2....op....YT*.-.....YT*...T*....0..R.......s}.....o~....+-.o.......(.......o....-..{.....o....,...o.....o!...-....,..o/.....*..........9F.......0..E.........(........{.....o....,..{.....o.....+..-..o@...oK.....{......o.....*....0..+........o@.

            C:\Program Files\Rigaku\SureDI\DevExpress.CodeParser.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1748248
            Entropy (8bit):5.830698218349036
            Encrypted:false
            SSDEEP:24576:s9fnTyq9I9bXfLN9WB6hmgnCCl4Q47ii8:sj9kX/mCnCy4Q95
            MD5:92F02F4074ED0CDBECF3E6A57184F68C
            SHA1:C8B953BDC2444B22D32C82853945E784EABEFFC4
            SHA-256:A96731C004F9A85F6B2B0EF62BD406C2B59C2BDE3413CF87A31D3D82333F91E6
            SHA-512:E4E8CAE70FE420698755543ABCF2D2423AEC9E5FECE54C58E91C7DCCB828B7433F905C28CF077D1CF4EED722B47ADCB3C79357309FAE26DFB1145098A9A43D27
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....y..........." ..0..............<... ........... ....................................`..................................<..O....................................;..8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.................<......H.......L......................<;......................................&...(....*..(4....-.r...ps5...z..}......}......}......}....*r.-..*.{....,..{.....o....*.*....0..1........-..*.o......,..*.o......,..o....,..o......,..*.*....0...........o......-..o......*..0..*........-..*..(......-..*..(....,..*..(......-..*...0...........P...(......-..*..(....,...Q.*>..}......}....*..{....,#...{....(....}......}.....{.......*..|....(....*..{....*..0...........(4....s6...}.....(.......r.

            C:\Program Files\Rigaku\SureDI\DevExpress.Data.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):7416600
            Entropy (8bit):6.341876106640743
            Encrypted:false
            SSDEEP:49152:8DCyO1XjnQKfI6JhTpAjfwgY9tI8RsfrLCgm61qBBNsBhwhuWAv74ntTimWL1S1R:rtjQKfI6JtpAjfhY62WL1S1wUwyWa
            MD5:C5BBDC1417D3DE48BFF2EC7DC5012C3C
            SHA1:A9C6F1DC737C6AB8AAB50F1038BC4BC2B1E529BF
            SHA-256:76F21D9EE3E622B5DFC56DC3D830E1979003A296B8D73B1EFA837DE059D8F921
            SHA-512:20FE981CE543489F27263993B0CA1E0A6CBE44D0C3366B637CCB948EFE99253CEE7591382A3115888CB4E53ACCE3FC98568B704FB2E964250A5C29BF538ADA4C
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...DV............" ..0...q..........Up.. ...@q...... ........................q...........`.................................rUp.O....@q.X.............q......`q......Tp.8............................................ ............... ..H............text.....q.. ....q................. ..`.rsrc...X....@q.......q.............@..@.reloc.......`q.......q.............@..B.................Up.....H........}..p91...........J...%..Tp.......................................{....*..{....*V.(......}......}....*...0..;........u......,/(.....{.....{....o....,.(.....{.....{....o....*.*. .(.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*.0...........r...p......%..{...........O.....O...-.qO........O...-.&.+...O...o.....%..{.....................-.q.............-.&.+.......o.....(....*..{....*..{....*V.(......}......}....*...0..;........u......,/(.....{.....{....o....,.(.....{...

            C:\Program Files\Rigaku\SureDI\DevExpress.DataAccess.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2148632
            Entropy (8bit):5.8804917213223185
            Encrypted:false
            SSDEEP:24576:+hwclxnvfRwBFjsTYqbcUtTxa2/zXqNHAQ68T2O9BK5p2ylAGWSAXHdzQ9kHB9z9:+hwclx0ld/9u8CO9BK5p2ylJEXms9
            MD5:F9A840DB2B02D5CED8A3DC83F610B4B7
            SHA1:7004A22AE3E40356BC04AB0151D9BF4B224A957D
            SHA-256:5FFE487F340DB2F15F05F9B6A4E6B4AAC54B49F4C4D5D8E05DE2D2A742769804
            SHA-512:76F463BA7AD47B16F499AA2377B853751D5E9DC9943F1A6853A65B9840E51A736A3F55BC899EA14FC57B2E3212D5370FF79A2C0526BFC3A6A0A752C5BBB62863
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g]..........." ..0... .........~. .. .... ...... ....................... !...........`.................................,. .O..... .`............. .......!.....D. .8............................................ ............... ..H............text..... .. .... ................. ..`.rsrc...`..... ....... .............@..@.reloc........!....... .............@..B................`. .....H.......hm..4............3..(.... .......................................{b...*..{c...*..{d...*r.(e.....}b.....}c.....}d...*....0..S........u......,G(f....{b....{b...og...,/(h....{c....{c...oi...,.(j....{d....{d...ok...*.*..0..K....... .l". )UU.Z(f....{b...ol...X )UU.Z(h....{c...om...X )UU.Z(j....{d...on...X*..0...........r...p......%..{b..........!.....!...-.q!........!...-.&.+...!...oo....%..{c.........."....."...-.q"........"...-.&.+..."...oo....%..{d...........#......#..

            C:\Program Files\Rigaku\SureDI\DevExpress.Docs.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):276248
            Entropy (8bit):6.1631620853343465
            Encrypted:false
            SSDEEP:3072:vljd/VjX+rGiJxEcQ5hejnLksw0kKKMjv85ypdfvNAJHKX7LzcrZjJvMSsSehU79:JqjYt0Bjv85ypdfv0HyzchxjsP38LF
            MD5:DC8E7B9D5346DCCFCBC6F498305BBB16
            SHA1:C69CAA501E1466B79E645ACF094659639B3EA775
            SHA-256:F2F1587F0CCCC06A04B666CC0DE193DEE13BD6395F5505D133D78F87F3266591
            SHA-512:ED5FDD2C08A5A45FB1E638E87026C276A15F59831B7B8B60B4C32DC5DA361C1A61F1DD7070BA16C9BC8E3461DCE50336F0843D510F2C663202FEDEFE24E9206E
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s..........." ..0.............r0... ...@....... ....................................`..................................0..O....@..0....................`......H/..8............................................ ............... ..H............text...x.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B................R0......H............m.........................................................."..(6...*....0..y........{....-j..}....~....-F.....(7.........(8...~....-.r...p.....(7...o9...s:...........,..(;.....~.....(<...o=...(>....(<...*.........#./R.......0..........s?......r?..po@.....rO..po@.....r_..po@.....ri..po@.....ro..po@.....rw..po@.....r}..po@.....r...po@.....r...po@......r...po@......r...po@......r...po@......r...po@......r...po@....*.(A...*.~....*..(B...*.(.........*.~....*...0..&...

            C:\Program Files\Rigaku\SureDI\DevExpress.Images.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):8590104
            Entropy (8bit):7.022517133639139
            Encrypted:false
            SSDEEP:49152:ZonrDStR+HZT11vjpAeyATtVhPiY131xT2TbqWWRpAy4Mkn6UQ8unpeiIEmTWfhS:MRhpyY1Fp6bApPxk7Q8unptuszuHvQu
            MD5:00AC0553D5E0D8A31458FD6BA6C4E8A0
            SHA1:5A64483E924B692624EA40D8439C131905804ACF
            SHA-256:8135999D6F0854D2A9C0989A36E5E47E6E54431D664A5769505E2F76FD000920
            SHA-512:DCD2411EF3E861A09D683718237B93AF31610405FDC850015395272454E09626D7066896920C3397BE2D123E99D27642804A622F2197E964CDAD349B020B1F5F
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0............r.... ... ....... .......................`............`................................. ...O.... ..4....................@......D...8............................................ ............... ..H............text...x... ..................... ..`.rsrc...4.... ......................@..@.reloc.......@......................@..B................T.......H.......d...@............... [k...........................................{....*..{....*V.(......}......}....*...0..;........u......,/(.....{.....{....o ...,.(!....{.....{....o"...*.*. =*._ )UU.Z(.....{....o#...X )UU.Z(!....{....o$...X*.0...........r...p......%..{.....................-.q.............-.&.+.......o%....%..{.....................-.q.............-.&.+.......o%....(&...*..{'...*..{(...*V.(......}'.....}(...*...0..;........u......,/(.....{'....{'...o ...,.(!....{(..

            C:\Program Files\Rigaku\SureDI\DevExpress.Mvvm.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):691480
            Entropy (8bit):5.8260306819262
            Encrypted:false
            SSDEEP:12288:BAOa83zP/7K8IBpuyTgtp6mo24cCVGbMg:BAr83TsTgXTo23Mg
            MD5:546B0561A5776F8F25D3D2773DBEFC8B
            SHA1:5141A3834E617E39649E8E01A6249634F39EDFFE
            SHA-256:B7652FBF50E49DEE606346F608454798966DE0584E108BB2B4B8C3CA0AB19BB3
            SHA-512:25682C70F655847131F78978AFDC2446D337ED68163B50DFBD97E1D8BF38E4820CB17109412FAE31F165DA2414720C7112DC98C58D72DEAE8755BE35AD7E5DC0
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D]=..........." ..0..h............... ........... ....................................`....................................O.......0............r..................8............................................ ............... ..H............text...$g... ...h.................. ..`.rsrc...0............j..............@..@.reloc...............p..............@..B........................H........^... ..............`...x.........................................{l...*..{m...*V.(n.....}l.....}m...*...0..;........uo.....,/(o....{l....{l...op...,.(q....{m....{m...or...*.*. .... )UU.Z(o....{l...os...X )UU.Z(q....{m...ot...X*.0...........r...p......%..{l..........5.....5...-.q5........5...-.&.+...5...ou....%..{m..........<.....<...-.q<........<...-.&.+...<...ou....(v...*..{w...*..{x...*V.(n.....}w.....}x...*...0..;........ur.....,/(o....{w....{w...op...,.(q....{x..

            C:\Program Files\Rigaku\SureDI\DevExpress.Office.v19.2.Core.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2535192
            Entropy (8bit):6.129583821791066
            Encrypted:false
            SSDEEP:24576:fPTd/rg3M9+aadC5eKgm08gmmU26sKKqp2mfU5yoccdCwYuMwMzOhVlorlNfTFCd:fP7+01gmXgmmU26s4tSUQMaVlbL
            MD5:8F13CAC52A061355A616BAC268FB7873
            SHA1:427AEB9E0D49032F7629680CF904FE57DB1D1582
            SHA-256:DDC3545D37A6E7E559468403B675472405E1BA9AE467687AD7649BBB656A2BC4
            SHA-512:ABC73594D65144A9382D6E22D3EAD5F3F87D0E2788F636CC1AE2C4685C3C9B313AE6703C6608FBB9D1D440751CC18B2DA08A24E3ACDCB5B80F07F3688723409F
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....?..........." ..0...&.........*.&.. ....&...... ........................'...........`..................................&.O.....&.p.............&.......&......&.8............................................ ............... ..H............text...p.&.. ....&................. ..`.rsrc...p.....&.......&.............@..@.reloc........&.......&.............@..B..................&.....H............O...........~".....p.&....................................."..(]...*....0..y........{....-j..}....~....-F.....(^.........(_...~....-.r...p.....(^...o`...sa...........,..(b.....~.....(c...od...(e....(c...*.........#./R......b..{.....(f...t....}....*b..{.....(g...t....}....*j.{....,..{.....~h...oi...*b..{.....(f...t....}....*b..{.....(g...t....}....*j.{....,..{.....~h...oi...*"..o....*.*..(j...*J.(j....sH...}....*..{....*..{....*b.{.....3.*..}.....o....*b..{(....(f

            C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Core.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):3001624
            Entropy (8bit):6.736286457131476
            Encrypted:false
            SSDEEP:49152:mDc9S8Xgjsr7xILpMHOIvoJqOccS/Oz5zKJc3JXeOI:mYoODcDz5zic3RJI
            MD5:4EDD86FB8BFF94F49702B9FF1FB441A5
            SHA1:4CAB70974DA387048D084CCAE18959BDFDD11FFA
            SHA-256:B31C068301FCC0A06FC9C711621E07764C18BB09CC8B4A9598A82AE88238205C
            SHA-512:D451B77F56B15FA1561F1033967E74E3E0D6356BAF6B830F109B43E33383302313C2A4744735FD88A82E688B0B56AB4256D18057C2019F8D8886EBBEF2DB7E39
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .&..........." ..0...-...........-.. ....-...... ....................... ............`.................................Y.-.O.....-...............-.............|.-.8............................................ ............... ..H............text.....-.. ....-................. ..`.rsrc.........-.......-.............@..@.reloc................-.............@..B..................-.....H.......TQ.......................-.....................................^.{....-...o......}....*.0............(.......(.....*...................:..(.....(o...*..(p...*..{....*..{....*..{....*r.(p.....}......}......}....*..{q...*..{r...*V.(p.....}q.....}r...*F..ss.......(t...*V.(p.....}u.....}v...*...0..........sw......}x.....}y.....}z.....}{....{v......|...s}...(...+...~...-..{v..........s}...(...+.......~...-Z.{v...(...+...{v....{z...(........(...+,1....{y.....(........(...+

            C:\Program Files\Rigaku\SureDI\DevExpress.Pdf.v19.2.Drawing.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):397080
            Entropy (8bit):6.034134908842403
            Encrypted:false
            SSDEEP:6144:k+uL8gvxKXrFr3uPRWBo02khlJwauQvUTTXW4pT+pbC6ctNqOotGRb+PMmw:sL82xKlRThdaWm4Vaw4
            MD5:E01A89F562BDBD0D08D1F7DBAE2B488F
            SHA1:31608C5556028A3DEAF6346F696BA38158111CF1
            SHA-256:A05972EB2A3F8CA951019D21D9B84AFFB33F3830EED718871D92426CD5582A43
            SHA-512:D76F9DE9029043F5E77CF5713884F9D29B90F5CC06964CCE085375E92C4965D0672CD1BB7B5F910723CF06F0365046A923640A6A34F6C34FF97878CEB962B002
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f............." ..0.................. ... ....... .......................`............`................................./...O.... .......................@......L...8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................c.......H........J...............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*:.(4.....}....*...}.....r...p}......}.......(....*....0..K........(%......(....o5...s6......{....o7.....{....o8.....{....o9.....{....o:....*..{....*R...(.....s;...}....*:.{......o<...*6.{.....o=...*2.{....o>...*:.{......o?...*6.{.....o@...*2.{....oA...*.0..............o.......{....oB....*2.(....oC...*6.(.....oD...*&...(....*f.(%......(....o5...sE.

            C:\Program Files\Rigaku\SureDI\DevExpress.Printing.v19.2.Core.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):4398872
            Entropy (8bit):6.534147829212314
            Encrypted:false
            SSDEEP:49152:D4UdiLi6HgBW5C7jlxdjYIVQv0r/o8wSp3OjVnCcJIR51NBZkvz0jCtgrDlL9et2:sUdOijW5C7jlfTVpCNn5DXgxr
            MD5:F2D31434C7D78D5FC41EEA2631DFCF9E
            SHA1:B03184E0FC7DA7E47B50868CA82B17D5EC0A8043
            SHA-256:51031A99EE585825C291DE4167BF9932B4F4D2320C12DE10C5CD0EADBCF57AFF
            SHA-512:3588B7CFDDDDDBE6ED48E21ECF61E94FDA04B77231981AF6DB91E068F3D0D1F98EA2E78D7483C3C55295BFD86C91ED28F26566DB836519D8AA53D5E50B954857
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q.A..........." ..0...B..........zB.. ... C...... .......................`C...........`..................................zB.O.... C...............C......@C......yB.8............................................ ............... ..H............text...l.B.. ....B................. ..`.rsrc........ C.......B.............@..@.reloc.......@C.......C.............@..B.................zB.....H.......H...,.".........t.4.....4yB.......................................{....*..{....*V.(......}......}....*...0..;........u......,/(.....{.....{....o....,.(.....{.....{....o....*.*. ... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*.0...........r...p......%..{.....................-.q.............-.&.+.......o ....%..{.....................-.q.............-.&.+.......o ....(!...*..{"...*..{#...*V.(......}".....}#...*...0..;........u......,/(.....{"....{"...o....,.(.....{#..

            C:\Program Files\Rigaku\SureDI\DevExpress.RichEdit.v19.2.Core.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):9008408
            Entropy (8bit):5.796352123471346
            Encrypted:false
            SSDEEP:98304:jN0oz5FD+XOHqobw9lLsU5CB8aO4w5T7mp53pDR6y4:jilT5T725ZDY
            MD5:572F270083C1D44F7FCC3CBC55D7DAA8
            SHA1:1CD5C3297ABAD1C495DD0FD4B8658C97C044F93D
            SHA-256:CFFBD14919258BE539C0516A200C680ED21543808FC8335E6C089326A555EFE0
            SHA-512:C1624F9FDC77E4A9249AF151C293CF5578911E75094C3ECF30F5B1653A51D8DF0282EBFCA7BA9F1076DB60BE6A83AD9C1BC48BEA42C5BD53BA0321131764CF84
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A............." ..0..P...........P... ........... ....................................`.................................\P..O....................Z..............lO..8............................................ ............... ..H............text...,N... ...P.................. ..`.rsrc................R..............@..@.reloc...............X..............@..B.................P......H.......|.)..eH..........kq......N........................................{....*..{....*V.(......}......}....*...0..;........u......,/(.....{.....{....o....,.(.....{.....{....o....*.*. .*.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*.0...........r...p......%..{...........r.....r...-.qr........r...-.&.+...r...o.....%..{...........s.....s...-.qs........s...-.&.+...s...o.....(....*"..(....*....0..y........{....-j..}....~....-F.....(..........(....~....-.rK..p.....(....o....s.

            C:\Program Files\Rigaku\SureDI\DevExpress.Snap.v19.2.Core.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):956184
            Entropy (8bit):6.205504694373111
            Encrypted:false
            SSDEEP:12288:2uvIC92BUThTR3K4C0bjAoSWdiINsETvWTqMn2mx+O4MthW8zqnwG6MD:cCrTR3Ks7biAsETvWGMnF+z
            MD5:20E96B192DFC19328895D4B11426DB39
            SHA1:CB29E93E6F9F4A1A2C0BE5FB55C2E3578BBBA842
            SHA-256:F7129B1A5834E3CCBEAFB9332F6D94B1556D92D22CA18D77988A1D6E09AD6604
            SHA-512:30A161D1E34F46BA7EBF09A9FCF65E1DC2C05F4FA1B9FDD36FFA6FB3F0C85B69D1084596FEA3E458F7634C811898DE5D60CFA2826D59B2139754F493BD281000
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..r............... ........... ....................................`.................................8...O....................|..............X...8............................................ ............... ..H............text....q... ...r.................. ..`.rsrc................t..............@..@.reloc...............z..............@..B................l.......H........;............................................................"..(....*....0..y........{....-j..}....~....-F.....(..........(....~....-.r...p.....(....o....s............,..(......~.....(....o....(.....(....*.........#./R.......~....*.......*.~....*.......*.r;..p.....*:.(......o....*..(....*j..(.....rI..p(......}....*..{....*j..(.....rI..p(......}....*..{....*>..(......}....*2.{....oc...*V.(......}......}....*..{....*..{....*..{....*"..}....*V.(......}......}....*..{

            C:\Program Files\Rigaku\SureDI\DevExpress.Sparkline.v19.2.Core.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):91928
            Entropy (8bit):5.978180717123026
            Encrypted:false
            SSDEEP:1536:RWIxzC8BonJzO7ViV7SlMltRy95ML3N9Pesjx5YcDNm1zKKTUf1:R/OsxMysB9msjx5YcDNKWT
            MD5:B5F99276F0BBF07560C0C65BD2205ECA
            SHA1:F9A3F76EBB53CCA91BAAB09BE22D72790E6367BD
            SHA-256:70850768350ACC8092731741C4D775D9054D8D0D4CC4F8188B230E60A2059341
            SHA-512:F60BCD082278CBFA4D38B9416AED425519F1A7895B90FC70C8B732A6B06EE764303B03DA6E353D5F166D94178662D94DF29FBE2E3C017002629988B12B68E7A4
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....i..........." ..0..B..........Na... ........... ....................................`..................................`..O....................L...............`..8............................................ ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................0a......H........y..............d9..(&..._......................................"..(/...*....0..y........{....-j..}....~....-F.....(0.........(1...~....-.r...p.....(0...o2...s3...........,..(4.....~.....(5...o6...(7....(5...*.........#./R........{....*"..}....*..{....*"..}....*..{....*..~8...}.....(9....s:...}.....s{...}....*..(....*..(....*..{....*..(....*..0..B.........(;...-..+..(<......(;...-..+.....(;...,..(=......2.........*.*.*...0..2.........(;...-..+..(<......(;...-..+....."

            C:\Program Files\Rigaku\SureDI\DevExpress.Spreadsheet.v19.2.Core.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):16262936
            Entropy (8bit):6.233209741144202
            Encrypted:false
            SSDEEP:196608:aikPs+EX0i4JjbSCUKaDmSizUR9YDY98mJLAAH+IL/scjyKBZgKg:afvmqNILcz
            MD5:32E7F9656778D71F1DEAEED18052D07F
            SHA1:23DD8BFD1EC06519CBD92478E196503FADD0623C
            SHA-256:5BA12D3DF3493D25047F0D7C29264C1FACFED82F0D76C37A84495341C0A53518
            SHA-512:6CBBD73C92842CB1E8AC2906E5F5FF73967ABC0B4A859EF6FE4656587025FFBC4DF93EAEB9056DC7DE5BD3016D1F8689AAFA290415A88269E7657437920C6E02
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=I%..........." ..0.................. ...@....... ....................................`.....................................O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H........IM.............tb...\(........................................."..(....*....0..y........{....-j..}....~....-F.....(..........(....~....-.r...p.....(....o....s............,..(......~.....(....o....(.....(....*.........#./R.......(....*..(....*.(....*"..(....*..(....*:.(......}....*...0...........{....o......-..*...o....*...0...........{....o......-..*...o....*..(....*..{....*..{.....3.*..}.....rQ..p.....o...+*..(....*"..(....*z.{....-..(#...,..(#...ox...*.*Z.(#...,..(

            C:\Program Files\Rigaku\SureDI\DevExpress.Utils.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):17098008
            Entropy (8bit):7.31349318942216
            Encrypted:false
            SSDEEP:393216:9qDWAOfraPwfa8LEOpobJCVEbPc6wDHPpebc:9eWAOfraPwfa8LEOpobJKEbPc6EHxebc
            MD5:F4A7D6905296088BDA47068146469F4C
            SHA1:D36F487D280DB80966DC7B5F760B19A0156D4F17
            SHA-256:AEBEF2C7D3B22A7F3A28A43D406C63AD36749CA8BDDEF6D083F8041F8F5366CC
            SHA-512:6D9E0FADA0C18C8F604D2541C592A1507A3F6B7D7B9E4EE946240D96B02A2E7A3ACA9033DCCEFCC552A2145EDB447E85890744C19F7EA4D3D8B9ACC0A46811BA
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b..........." ..0.............^.... ........... ....................... ............`.....................................O.......h...........................0...8............................................ ............... ..H............text........ ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B................=.......H.......h...he-...........C............................................."..(O...*....0..y........{....-j..}....~....-F.....(..........(....~....-.r...p.....(....o....s............,..(......~.....(....o....(.....(....*.........#./R.......0..'........-..*......(....o....u......,..o....*.*..0..4........-..*......(....o....u......,..o....-..o.......*.*.*.0..".............(....o....u......-..*.o....*...0..A.............(....o....u......,..o....*......(....o....u......,..*(....*.*.

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Charts.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):3099416
            Entropy (8bit):6.227746384548725
            Encrypted:false
            SSDEEP:49152:CGtV2Wb+hSkJ3X5Q9/RoIpj3jSswb+/npGZIyy5myrhaA:f2WKTa1wU
            MD5:CA32984A5435B867254547728E81EC16
            SHA1:9A760516F5603FEAA5D6C4A83CF89CBA1D43ED97
            SHA-256:83D34AFBE83E45D88D80D37F500AD668ECE0D061B0D6D5358BD1E5C16C305F08
            SHA-512:6EFC8EBDCBDB57B3BC5604AF38224D1C2CDB592A26D8562E096505443783DFF0498ABBE444FE2556D81DDF4FA9B663950BF03C0883B4C8989D0B584148BE09C4
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%J..........." ..0..&/..........E/.. ...`/...... ......................../...........`.................................2E/.O....`/..............0/......./.....LD/.8............................................ ............... ..H............text....%/.. ...&/................. ..`.rsrc........`/......(/.............@..@.reloc......../......./.............@..B................fE/.....H.........................#.0....C/....................................."..(c...*....0..y........{....-j..}....~....-F.....(..........(....~....-.r...p.....(....o....s............,..(......~.....(....o....(.....(....*.........#./R.......0..v........o\K..,..o\K..-..*.u....,...t.....t....(....*.u....,...t.....t....(....*.u....,...t.....t....(....*..t.....t....(....*...0.._..........(.....(....s.......o....`..(.....(....s.......o....`..(.....(....s.......o....`..(.....(....s....

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.CodeView.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):195352
            Entropy (8bit):6.0951734436879015
            Encrypted:false
            SSDEEP:3072:SafdUDFxD61FlHs8nDcn4DIGAYjlPb7PsqbsVt8U7lh7rk4/uZ+sGy5EY0m:SafdUDFxD61FlHs8oohAYjp70qbsn7rK
            MD5:F6B41EFE81860DB7FADF04F4FCD1B12C
            SHA1:EE21F5B27D28E34D819DD1E06922AF520E325405
            SHA-256:AB70F543EC02223E6AF0743A49881C2DC19D69FAEE0C2A3F455E18C396557FBE
            SHA-512:83E453FD51400063505DD559985134626BBBA4162981564A598EC9D9132549BE54A09A92D259B0098F6B97537207B672779846FE2234B3CAFC4CA6470DDFB396
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}............" ..0.............J.... ........... .......................@............`.....................................O............................ ..........8............................................ ............... ..H............text...P.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................,.......H........:..............................................................*.o.......*6.o.....(....*:.o......(....*.0..@.......s5.....o6....+..o&......(7......(.....o....-....,..o......o8...*........"/.......0..s.......s5.....o9...o:....+D.o;......(7....o.......(!.......(....-......(....+...(.....{....0....o....-....,..o......o8...*.........Pb.......0..>.......s5.....o%....+..o$......o....o<...&.o....-....,..o......o8...*.......... -.......0...........oe...o=...o>....+b.o?......

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Controls.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1455384
            Entropy (8bit):6.100882747558708
            Encrypted:false
            SSDEEP:12288:Cl8ZQPdAMRWKFHXgcKV9hrSMP/pyfnpFXFxS+oQaBB1GXMj:ClAQPTcV9hP/pyfpRFkHzBIXMj
            MD5:CADA2839E7FBFE8F2EDE1F861E6EA5B2
            SHA1:414A22F63798305701EF7EC5EB8D4C1D5F76E47A
            SHA-256:5B426537E80EADD1BDFC4F63855F00CE16DC64245C8D55EFC84C4A964864C80A
            SHA-512:873EE97B09C1830E0A8050A26319ABC581CD4C0F0740267C445D9ADEE01DAA7BF4AE982392BD749257D37B9871139462886D2DE776FCEE7ACB471F06D0A76259
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!x............" ..0.............^.... ...@....... ....................................`.....................................O....@..p....................`...... -..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................@.......H........................... I...,........................................{....*..{....*V.(......}......}....*...0..;........u......,/(.....{.....{....o....,.(.....{.....{....o....*.*. ..c. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*.0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.....................-.q.............-.&.+.......o.....(....*"..(....*....0..y........{....-j..}....~....-F.....(..........(....~....-.r;..p.....(....o....s.

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Core.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):10757912
            Entropy (8bit):6.302866223624233
            Encrypted:false
            SSDEEP:98304:2qLPRYvVUpkVCKrb4Wm6I8xkWbWAOfraPKQEMehl3bzXJamSRe:/LRYdUECKv4YPWAOfraP1ehlRa1g
            MD5:C2189B47D0F725F56CE342444F04B328
            SHA1:E30A3389981E0084C78B6CEAAD098494A286BBBD
            SHA-256:F2E7A0B4EB8CE303092CB88C67EC40BDDBD818C7B375FAD8D82CB134C1777F6D
            SHA-512:D5CED936FB95210BFBF8D6E6F0A55CDA7F56DE758D076048965C4F2907EDEEAA9282D96158A47DFE6095414D2DAA532AC8A3A0D10CAEA0DEF39E05707453D622
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A@............!..0.............n!... ........@.. ....................................`................................. !..K....@..P....................`......@ ..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................P!......H.........S..TP.........0.%.(.....S......................................(.x..*..{....*..{....*..{....*r.(......}......}......}....*.0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*..0..K....... .).. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.....................-.q.............-.&.+.......o.....%..{..................

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Docking.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1621272
            Entropy (8bit):6.079631587878781
            Encrypted:false
            SSDEEP:24576:/kd8WcpbdwrLCoeyOt3ewSLD+lYQtO5QI2noIzFOJ7Ddvy+5:/hbdwrfeEwmYntLI2G7Ddvt5
            MD5:52D03D62A069DA1C4841CD70F0D1877E
            SHA1:4BDB8366D80DF7EE6AC989ED6271159AEC676D0C
            SHA-256:2AEFEDB66DDECEF2A2262A144BA0F3D7C403926891629C38EEE7559DD28D9FEA
            SHA-512:A7DC403E14F20C0DC859CA1118F37BEF8F7C7D004496C73ADB6152D9BEA148AD8E82EB7F6CE010B9A1259B4FA6A5B247E4531B8D8E70F2A871B2644441D04605
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................................`.................................T...O...................................l...8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........@...........4.............................................."..(x...*....0..y........{....-j..}....~....-F.....(y.........(z...~....-.r...p.....(y...o{...s|...........,..(}.....~.....(~...o....(.....(~...*.........#./R.......(....o...+*.(....o...+*.(....o...+*.(....o...+*..{....*"..}....*2.(....o[...*6.(.....o\...*2.(....o]...*6.(.....o^...*2.(....o_...*6.(.....o`...*..(....*...0..k........(.....(....(...+..u'...~....%-.&~.......%..s....%.....(...+%-+&.u(...~....%

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.DocumentViewer.v19.2.Core.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):509208
            Entropy (8bit):5.718672535619859
            Encrypted:false
            SSDEEP:6144:1Q9rAEPq+Xiaekmj6nsh/7yXg02dn/OJ27Tr/+:BSi0Mq
            MD5:2935C99BC865A609051E8D6110D7B510
            SHA1:3F94E6DF069D208FDC7D6F64721896EAA65E8835
            SHA-256:375C3FAF30C3956D9EB694307F05B46E87F36B65B7E5F773C79DD4FAD69175CC
            SHA-512:279C29D4645480AE84E3C81B5E8989F5301FE03316FB8DACC0CB6514707C17021EBD03DF1F2847CFB8B085C574A430C44CAFEAA95D91C3B806BA3923D82C27F0
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>............" ..0.............Z.... ........... ....................................`.....................................O.......................................8............................................ ............... ..H............text...`.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................;.......H.........................................................................(1...*.0..-.......~....- r...p.....(2...o3...s4..........~....*.~....*.......*V(....rQ..p~....o5...*..{....*"..}....*..{....*"..}....*..{....*"..}....*....0..H........E....!...................+!#.......?*.o....*.o....*.(....*.*r...ps6...zF..#.......?(....*...0..H........(.......(7...-..(.......(7...,.#.......?*.(.......(8....(.......(8...[*.0..H........(.......(7...-..(.......(7...,.#.......?*.(.......(

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Gauges.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1574168
            Entropy (8bit):7.086588952213966
            Encrypted:false
            SSDEEP:24576:HzG9NcpzaW8z8mJzs1BXrREGRoccTEf2VZXVZScpcKExTDZB1D1in1D1i9EZ6xF7:HzG9NcpzaW8z8mJzs1BXrhoQsgGp0t+S
            MD5:830247701E4761713DDF655E774832B4
            SHA1:08E32EF3D3FFAA4EBB3F8E82DBF6C9673547F1F5
            SHA-256:A052EB8F44DC688AFE5D79232CD45BAC6806CDCCF762AB40AF67E258D4E49A16
            SHA-512:760EA9A9DDFC0D8E9B52F179B063E2DF7B3FEC82EBF3E29DF435CD49C6C8F38CD3AF32AEA7C066C5F79029218BAAB2D168581AA71CBCC2D70AC07DB75C5D7523
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@............`.....................................O............................ ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........r..<...........,....\..D......................................."..(H...*....0..y........{....-j..}....~....-F.....(I.........(J...~....-.r...p.....(I...oK...sL...........,..(M.....~.....(N...oO...(P....(N...*.........#./R......F.~....(Q........*J.~..........(R...*..(....*.rG..p....(I........(I................sS...sT...(U........*F.~....(Q.... ...*J.~...... ...(R...*F.~....(Q...t!...*6.~.....(R...*..*....0..m.......sV.....#........sW...oX....#.......?sW...oY.....(...

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Core.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2404632
            Entropy (8bit):6.090163311953622
            Encrypted:false
            SSDEEP:24576:bdn0aB6mTGYjGmMU242gq8hN0rAgZYZuleRLL/Z5D+3xe+tPVrjpZg50qXzRI7:bDAIjQ2QAgytlrbD+3h5l
            MD5:B59051E5659D1BF28888D03072248A9D
            SHA1:D8FBC31646F97AC29F0BDFFEC9F269A62006F752
            SHA-256:1F7B6B0CDA68F6861480F9DEC693DEED24C642DA0A76AFF1997301D4ADD0C066
            SHA-512:E54AA190241988A0FBB7CBA7B8823DDC05DBC42DAC726D9EEB353F21C73F027299012B04E4219B3F61B1DE4D47540D141AAFCB02AFFC7934EFE7BA3EE8038F63
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'............" ..0...$.........>.$.. ....$...... ........................%...........`..................................$.O.....$...............$.......$.......$.8............................................ ............... ..H............text....$.. ....$................. ..`.rsrc.........$.......$.............@..@.reloc........$.......$.............@..B..................$.....H........_................!.......$.......................................{....*..{....*..{....*..{....*..(......}......}......}.......}....*....0..k........u......,_(.....{.....{....o....,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*..0..b....... to.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.................

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.Extensions.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):272152
            Entropy (8bit):6.099563131579717
            Encrypted:false
            SSDEEP:6144:JvzLRq4dc/dJXucSXCrQ1gWRKAv1sqszZQ/:JvzLR7oclXqBzI
            MD5:91C698DE91F3F001A1740A543A56DBAD
            SHA1:C621D44FFF9F13E2CBE4546F18BE39935392DCD0
            SHA-256:B60735B4DC93EA02263724BDC7AD8EC6CE3A3888CF93EAEFDCCA209E54D12D69
            SHA-512:D0EEBF6C63B57DED5F897BF1D0C06202FD4B5566FC91C6D77393B16ED0F184534129A3534B1F134428F8E4413E2BAFA81850B3943DD83A838AB46DC1A45D2157
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B............." ..0.............. ... ...@....... ....................................`.................................. ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H.......4....................D............................................{=...*..{>...*V.(?.....}=.....}>...*...0..;........um.....,/(@....{=....{=...oA...,.(B....{>....{>...oC...*.*. Z.C. )UU.Z(@....{=...oD...X )UU.Z(B....{>...oE...X*.0...........r...p......%..{=..........p.....p...-.qp........p...-.&.+...p...oF....%..{>..........q.....q...-.qq........q...-.&.+...q...oF....(G...*.0..#.........(H...,...*.........sI......o...+*n.u....-..s....z.t....oK...*n.u*...-..s ...z.t*..

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Grid.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2544920
            Entropy (8bit):6.199854121631831
            Encrypted:false
            SSDEEP:49152:46svM7dxMks6zGQCSKPLtDfACmCJmvNMMEzH:NjtGM+H
            MD5:8AE954BF37F8869DFB48FCDF1FBB4A28
            SHA1:204C67A56564DCB8B539A6CB439E7C663C3BC87C
            SHA-256:7DBD8F8946827243EA616BFAE02D4992BE40E1A4A14BDAE8D5171033EAF58E0D
            SHA-512:67CEE36A277A58126151F802FEA7739275E30F9EF9C5C1CF0BC27E50847F96CA79282E3A5123C649391B1889BE185ADF435E73B2068BD35688C50BDD87606C78
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.O..........." ..0...&.........B.&.. ....&...... ....................... '...........`...................................&.O.....&...............&.......'.......&.8............................................ ............... ..H............text.....&.. ....&................. ..`.rsrc.........&.......&.............@..@.reloc........'.......&.............@..B................$.&.....H.......D................}...N....&.......................................{5...*..{6...*V.(7.....}5.....}6...*...0..;........u......,/(8....{5....{5...o9...,.(:....{6....{6...o;...*.*. .^:G )UU.Z(8....{5...o<...X )UU.Z(:....{6...o=...X*.0...........r...p......%..{5....................-.q.............-.&.+.......o>....%..{6....................-.q.............-.&.+.......o>....(?...*"..(@...*....0..y........{....-j..}....~....-F.....(A.........(B...~....-.rS..p.....(A...oC...sD

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Layout.v19.2.Core.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):111896
            Entropy (8bit):6.067349714046611
            Encrypted:false
            SSDEEP:1536:He6CXc6eOLDYh0lJIYWZNACV9XscHzusQ/svh0dw+WrIvybU1hstd8uUfM:He6mgclJTilcRUGwYW8G
            MD5:389F4DFA9B84A61F72983FF3A7FCCCC8
            SHA1:2857DDB39A9F249FB380823D529B10FE4E811EFB
            SHA-256:183ADC2B163ED7C6E3D115F49A6EE189D7F14C20E574E02B7E73CE0CC6CA0174
            SHA-512:3A783A4551776C4085004F192AFB02077967CCB44E19D54DD965AA339C9D2BABEB88AA48EDA25F3394E412297B6614EBA4AEAFCCA68F38E1756148AE3FE47779
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=..........." ..0.................. ........... ....................................`.................................L...O...................................\...8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................................................................-...(-...+...-..+...(......(/.....(0...s1...*R.-..+...-..+..s2...*N.-...(3...*..(4...*N.-...(0...*..(/...*.0..5.........(......-..o.......(/....s2...*..o.......(0...s2...*....0..a.........o....(......o....-....o....(.....o....XY..o....-....o....(.....o....XY..#........4.#..........*....0............o....(......#........3..........*..o....(.......Z.(......o....-....YX#........(5...+....-..o.......(/....s

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.LayoutControl.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):491800
            Entropy (8bit):6.056175887930674
            Encrypted:false
            SSDEEP:6144:hOJkiO3u6QVC7YPvr12SHJnfL2dZchXl0DVsxlqDYvWlLRxaHu/IccY3PE1e8NI:oJHmm1hfiD5pPOy
            MD5:0AEBF0C16A8FDA2DDB2CD01499AC9998
            SHA1:2B5536A1BC6FB77BE09CFDA4132231BA4C3F254B
            SHA-256:84086AEE8B7F376582BF45CF6315A64F0C72EA95A5C7AA3302425402DE68EBF1
            SHA-512:346B93B17ADC80BDD9ED51A718DC1D82CDBFEE6329D8A623E1D013F6A81310FA746F1A2C9F72C581A5DE6FA8B8A0EFBB7DCDD9F5C4302BE11F1DEBDF5EC58A79
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b:............" ..0..\..........~z... ........... ....................................`.................................+z..O....................f..............0y..8............................................ ............... ..H............text....Z... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B................_z......H........%...#..........XI..X/...x......................................"..(J...*....0..y........{....-j..}....~....-F.....(K.........(L...~....-.r...p.....(K...oM...sN...........,..(O.....~.....(P...oQ...(R....(P...*.........#./R.......(S...o...+*.(S...o...+*..{....*"..}....*2.(....o|...*J.(.....t....o}...*2.(....o~...*6.(.....o....*2.(....o....*6.(.....o....*..(U...*2.(....t....*"..(....*..(....*....0...........{....-N.....(K...sV.....~W...sX...oY....~Z....([...o\....s]...%

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.NavBar.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):571160
            Entropy (8bit):5.978465458469967
            Encrypted:false
            SSDEEP:6144:6mvKHQbouTLWLNkAlCaNzZrAwq2UPGy5TkT7NZVovroWQJ8As1wMMWy2A6IrlALx:+QPxse52Df5sii
            MD5:1E64587F78B4935CDE3292459AC36B9B
            SHA1:0CB88335E51EDC093FB684FF8F174A78E518BE0C
            SHA-256:6C487E7CDFDC3ACAD7232595D310CC3CF550C1AB92FC12B124FFF93A3799F39D
            SHA-512:AE76F083AE5AD8AE525E0A541B7F01E41B313D05ECFBF2A88CCA8B2403FDB52233A62D4690FB15B43DFE35A9B74B2CBE51BFD441FDA3BA4DE11A2B1F25E660C9
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....l..........." ..0.............v.... ........... ....................................`................................."...O...................................<...8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................V.......H............R..........|...@..........................................."..(N...*....0..y........{....-j..}....~....-F.....(O.........(P...~....-.r...p.....(O...oQ...sR...........,..(S.....~.....(T...oU...(V....(T...*.........#./R.......(W...o...+*.(W...o...+*..{....*.0..&........{.....3.*.{.......}.......{....o....*.*..(Y...*2.(....o....*....0..0........(....o.....3.*.(....o......(.....o.......(....*2.(....o....*6.(.....o....*..{....*"..}....*f..(......(....oZ...(....*..(...

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.PdfViewer.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):894232
            Entropy (8bit):5.470260701424674
            Encrypted:false
            SSDEEP:6144:jLZJI8znrogEZqgOVAikjQZaVYZ/rkj3HrvNvOgkMBPAe7HBHT+nnpUgeynTHXg7:jLZRrogEZqLVp+BqFuMAU30aEA6n
            MD5:0450127A8D3CEEEEC027DAE19670EB6E
            SHA1:44E83CFF621676AEB2FC80FF0ECAAD7E5A6B5A62
            SHA-256:70BC62776A40708B100D3A7016C136153753B6F5CE11A811626F073CEF5DA870
            SHA-512:F3B589BE6BCA059886A06791AF4FC14B41594D330C8A2006B0EFC7A6332103497252A57F288E56BB3D8D1968AAB5CE71632D11ED7846A5613729190C074C991A
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................................`.....................................O......................................8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......D...............X{...!..P.........................................{<...*..{=...*V.(>.....}<.....}=...*...0..;........u......,/(?....{<....{<...o@...,.(A....{=....{=...oB...*.*. ,.L: )UU.Z(?....{<...oC...X )UU.Z(A....{=...oD...X*.0...........r...p......%..{<....................-.q.............-.&.+.......oE....%..{=....................-.q.............-.&.+.......oE....(F...*.~....*.......*.~....*.......*...0...............(G....rK..p.sH...(.....!...(G...(....~.........

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Printing.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1509656
            Entropy (8bit):6.41608606409566
            Encrypted:false
            SSDEEP:24576:HfOuT/4z6s89PATFzII8kJSIRZ3iT84heQZN:4znFsIHRZSTzjN
            MD5:105E31BA1B0D3D9D06ED66916DFE0CF3
            SHA1:D3F23BD22639A5217574730EFF76E3895F9B8E5D
            SHA-256:AAF14411D675B6267F4613E57BB412D054A0B14A46D362BCDF2940EAE19D3387
            SHA-512:B609AD0C3FD6AA75E61FC385DDDF60DE1F4D6C1FD45495C3A3F0E122F613CA1DB88D3DD0BA132C9764E501CA088313AFC1EAF7715871B1BED85A45FA2FDE2B56
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v............" ..0.............>.... ... ....... .......................`............`.....................................O.... .......................@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H........a..L............(..x..........................................."..(....*....0..y........{....-j..}....~....-F.....(..........(....~....-.r...p.....(....o....s............,..(......~.....(....o....(.....(....*.........#./R......>. 4......(....*2......o....*:........o....*.0..,........o....rK..p $.......$...%...%....o....t'...*&...o....*..(....*"..(....*..(.....rk..p(......}......o....*&...(....*&...(....*2.{....(....*....0...........{....sq......o....*2.{....(....*6..

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Ribbon.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1765656
            Entropy (8bit):6.240928362918959
            Encrypted:false
            SSDEEP:49152:rnFIesX348fajTuMekvubKhwWHo534Bm0jhWN7BxTUrSTUiTUfTU7xyA6BThV3RS:run48cKAK7
            MD5:47A47EE9DAFD665BF55B0844121B6A3F
            SHA1:E40BEAF81D64D101053BFC95D4FA5F1CC92564E9
            SHA-256:D08FB5E980D84581276EA758A6102B1AF24B77939F64225F64291C1EAA037BF9
            SHA-512:A6B5D10FC9CAFCEFBC20D29F1F3F360969AE957E7EE65FD6A541B8680196997E67FC0718F0AB80F14AD8438B1F7E887E871EC480B052F9ADC633E77F6DE842B4
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... .......................@............`.................................B...O............................ ......\...8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................v.......H.......X...D...............@M............................................{....*..{....*V.(......}......}....*...0..;........uO.....,/(.....{.....{....o....,.(.....{.....{....o....*.*. .F*. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*.0...........r...p......%..{...........R.....R...-.qR........R...-.&.+...R...o.....%..{...........S.....S...-.qS........S...-.&.+...S...o.....(....*..{....*..{....*V.(......}......}....*...0..;........uT.....,/(.....{.....{....o....,.(.....{...

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.RichEdit.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2217240
            Entropy (8bit):6.083465616508211
            Encrypted:false
            SSDEEP:24576:/zXQS86ZW4aF7ZNHeHQNn9Va0lnDIn8H+hk+4xrOkAxCzeeX+Zo0HoaW1A5gHY4N:h86ZW4aF7ZNHeHQNn9Vlw42UpVYv5u
            MD5:18E1D5ECE9A9021608C043FB62A487D4
            SHA1:94C591504B906DC8D8AF8188CF55E7ABD7315440
            SHA-256:CAE306BC8F97E2416F9FAC14E128EC348A520DFFCB54BFA3AB2731887230414D
            SHA-512:50D6886EC352C5B25ECD6552DC65C7AA43121F6E1243ECB80913C3384FA3296EAA87E3934275D80325E53B126877894A3C7C391428771637C4FFD3FF50FA34E9
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0...!...........!.. ....!...... ....................... "...........`.................................|.!.O.....!...............!.......".......!.8............................................ ............... ..H............text.....!.. ....!................. ..`.rsrc.........!.......!.............@..@.reloc........".......!.............@..B..................!.....H..........................x.....!....................................."..($...*....0..y........{....-j..}....~....-F.....(%.........(&...~....-.r...p.....(%...o'...s(...........,..().....~.....(*...o+...(,....(*...*.........#./R......>. 4......(-...*2......o....*:........o/...*.0..,........o0...rK..p $.......$...%...%....o1...t'...*&...o2...*..(3...*"..(....*"..(....*..(4....rk..p(5.....}......('....()...*.(....*.(....*.(....*.(....*..*Z.{....o....o6...o7...*^.{....o....o6.

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Spreadsheet.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):3208472
            Entropy (8bit):6.06918768330684
            Encrypted:false
            SSDEEP:24576:srtjfWGeKxTkNtp7RMbbBaPkdIeG2ev04HX02xrFqAVQoZVWWth8e7J:srtfWGeKxTatp7+I2EhQoZUWthN
            MD5:AE285AD77FAB180BDA52A17376F1E0DF
            SHA1:0B07BEAB0E03EDCE88A5F2422A3617197DA9DDED
            SHA-256:28CFF0B16BC7EA46A84B7BC0349E016EBEB78748D8335DAC573BD3E9E3C6B4C9
            SHA-512:F2DF7E8DC5CDC43E396498B6A7EA3DD4D4C9F9D5D3D67C3B18CFE70B4A0421DEF1DF864A063C23F7F4A1DD568A50DED1B3CCF16A13DC7563C2694AF0235459F8
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0...0...........0.. ....1...... .......................@1...........`...................................0.O.....1...............0...... 1.......0.8............................................ ............... ..H............text.....0.. ....0................. ..`.rsrc.........1.......0.............@..@.reloc....... 1.......0.............@..B..................0.....H...........t............V..0...@.0....................................."..(e...*....0..y........{....-j..}....~....-F.....(f.........(g...~....-.r...p.....(f...oh...si...........,..(j.....~.....(k...ol...(m....(k...*.........#./R......>. 4......(n...*2......oo...*:........op...*.0..,........oq...rQ..p $.......#...%...%....or...t&...*&...os...*..(t...*...0...........ou.....o...+..,..ow...,..ox...-..*.oy...oz....o{....o|.....ox...-.........o}....(~...(....o..........(........

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.Office2016White.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):8063768
            Entropy (8bit):6.194306937854696
            Encrypted:false
            SSDEEP:49152:dP6Ggp66eHIx496/mv0Wb3C0ZhBMOsv+hE:59BMP3
            MD5:E3A5B4EAF64FFBEDCAA5F4F3AAD166C4
            SHA1:566BD726B6FF0D506973F6563BC95ACA311A3983
            SHA-256:E4B7DB2AD7F472316FFB612798861D8DABF2535126C7EFFE9F18D7034451A870
            SHA-512:8B5C82B679E4FCC46DEB71ED8CB86F7F9D68196B1631D03F63069C0E3796B15E7372B56D06D1DFCE845312DDA3594A675B81BAF4881C55B6C613BF895000E0A6
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&H..........." ..0...z...........{.. ... {...... .......................`{...........`.................................A.{.O.... {...............z......@{.....D.{.8............................................ ............... ..H............text.....z.. ....z................. ..`.rsrc........ {.......z.............@..@.reloc.......@{.......z.............@..B................u.{.....H.......P ..............d*..`.z...{.....................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................p.E.....E...o...........@.....!.....................................................].......e.....&...?.&...M.e...........7.....-...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....y.....................

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpf.Themes.SmartBlue.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):8023552
            Entropy (8bit):6.187236327531755
            Encrypted:false
            SSDEEP:49152:0P6Lbp66eHf+s96/mOtP/3CkZsuxosvxh:VnDx5
            MD5:60C839DA133276A73390E4023C634A1F
            SHA1:FECAE520214A93A54119F83BFFB706FD03FF458A
            SHA-256:57772C082188E8CFBD913B5013BF87D3C70BCC9EFCD16CD36407486776506058
            SHA-512:48AC4DB11BEC437C2AF6563D848F07002D1D42A18068F5B8CEF048A6DED794319828B6AD94D55D038C404B966EDEB731AFEA7488F417E8A113152A5AD3E4B6B3
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^.........." ..0..dz..........z.. ....z...... ........................z...........`...................................z.O.....z.......................z.....d.z.............................................. ............... ..H............text....cz.. ...dz................. ..`.rsrc.........z......fz.............@..@.reloc........z......lz.............@..B.................z.....H.......P ..<............)...Xz.........................................BSJB............v4.0.30319......l...0...#~..........#Strings....P.......#US.T.......#GUID...d.......#Blob......................3................................................j.!.....!...i...........:...........................................................W.......A...}.....9.....G.A...........1.....'...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....y.....................

            C:\Program Files\Rigaku\SureDI\DevExpress.Xpo.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2141464
            Entropy (8bit):5.891066909312881
            Encrypted:false
            SSDEEP:24576:6+1GEiFbDu7ywJH6J6iRmVWcp9uP4A9xquTwK3hYf14myp9XSBREMBKtMy6CGzAl:oEObDYywJHOmVWcp9uP7PpNSBREVKjoj
            MD5:7C419315BAC48D1B47CC082D90B1BEE0
            SHA1:55A964F6942C157D1D15E0A83010CDFE90773DA8
            SHA-256:FC5FAF2E53F970CB654B14410D5E785B71A1F4E478E24B011F5E7794038BD710
            SHA-512:E45AA21AEB929F629AF42B2A5749B2D9FF04846E4720E8531CCA7468638615F0692A91D8446BB1429448676597083BF31B1F021DF1CF01F4B1D13A4A605C2D30
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....vj..........." ..0... .......... .. .... ...... ........................!...........`................................... .O..... .X............. ....... ....... .8............................................ ............... ..H............text...(. .. .... ................. ..`.rsrc...X..... ....... .............@..@.reloc........ ....... .............@..B................. .....H...........................(...<. ....................................."..(....*....0..y........{....-j..}....~....-F.....(<.........(=...~....-.r...p.....(<...o>...s?...........,..(@.....~.....(A...oB...(C....(A...*.........#./R........(D...*. ....j*..(E...*..(F...*:.(......oG...*..0..C.........(......}......}.....($.....o0......}......,....(......,....(....*Z.(F.............(....*^.(F..............(....*B.,...,..*.(....*..0..........sH.....o....(...+.o~...~....%-.&~.......

            C:\Program Files\Rigaku\SureDI\DevExpress.XtraCharts.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):4923672
            Entropy (8bit):6.495464234891096
            Encrypted:false
            SSDEEP:49152:MMoI1gQPlvMZu5Y7E/R040m56fsoB+3zpeb5QAPmezxg8fn0lKm+f6:hgypX/RGKlKm+f6
            MD5:9544F9026246375EADEE45BEB110394E
            SHA1:991C55A86077BEAEFE5ADCDB9B86B1E1D975B12C
            SHA-256:9D47695901CEC0E401763DC0D683EC7A8B774B3664CD7614ED68C5FBFF6CF0EF
            SHA-512:7905002D7543B78B9A6183BF0FE035879D9F6CB91E1830508EFF5336D83410CAA5E4610EB280984ADBE1ECE8D22C10C43750686A879971488F1825E7BD8450B3
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#..........." ..0...J.........r.K.. ... K...... .......................`K...........`................................. .K.O.... K...............K......@K.....8.K.8............................................ ............... ..H............text.....J.. ....J................. ..`.rsrc........ K.......J.............@..@.reloc.......@K.......K.............@..B................T.K.....H....... ...H. .........h.0.Pt....K.......................................E.......................3..*.*.*B........+..*.*.*r.E................+..*.*.*.*"..(....*....0..y........{....-j..}....~....-F.....(/.........(0...~....-.r...p.....(/...o1...s2...........,..(3.....~.....(4...o5...(6....(4...*.........#./R......:.(7.....}....*.s8...*...0..........s9.....o:.....+ ..o;.......o<...o=....1....o>.....o....-.....,...o......o?...,..o?...+....{.....(O[...(@.....oA...sB.....oC.....

            C:\Program Files\Rigaku\SureDI\DevExpress.XtraEditors.v19.2.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):6962456
            Entropy (8bit):6.369902820199301
            Encrypted:false
            SSDEEP:49152:Hn22+gm8TKJ5DiVtj/Ypz3JhyPxSdXsMrwl0DD3k/7YtHqkSYVK/e:H22Ta5WH/s5NIDY8kpVt
            MD5:7E7ECCD2067BA53574F69DF7567AB5DB
            SHA1:CF6B559DAD6D310B22BDE6C069CF1E243218B508
            SHA-256:8B2886FDFCCB2DC9C65CC9FDC87FB04B0EDCB386B94C5A300B6C0EB808568571
            SHA-512:55B5F4B2B2149C78D1D243E9E7D70E4E8EE1550D16D5B43AAB5E595EB8F4605FD4F56CE983F1C2AB3BA1ACFE32FDEFFE6CB3B2B850566574B82504531538DB72
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0...j........../j.. ...@j...... ........................j...........`.................................3/j.O....@j.............."j......`j.....H.j.8............................................ ............... ..H............text...t.j.. ....j................. ..`.rsrc........@j.......j.............@..@.reloc.......`j...... j.............@..B................g/j.....H.............2..........%P.@....-j....................................."..( ...*....0..y........{....-j..}....~....-F.....(1.........(2...~....-.r...p.....(1...o3...s4...........,..(5.....~.....(6...o7...(8....(6...*.........#./R......&...(....*V.(9.....}......}....*...{....o......{....o......{....o......{....o......{....o....*Z.{....,..{....o....*.*&...o....*..0..&........,..s:...*..s;........ ...s<...o=....*..-.*.o>...*v.-.*.... ...s<...o?....o@...*.0..)........{.........(

            C:\Program Files\Rigaku\SureDI\EntLibContrib.Logging.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):54784
            Entropy (8bit):5.784358717755705
            Encrypted:false
            SSDEEP:768:MPZP+Rwx+wrAY3GIehrbKIAlknvU9WgJZ/Kb1IexkOMU:wpAo+wMY3QrbKNkvUnJgOeZ7
            MD5:C737CFFF42FD93241A06416C557AA635
            SHA1:1C8A6C15F8A621CC0D04F03F7EE69EB1E5B93DFF
            SHA-256:5CBB9876F8D069CD608B46FDD09805FD1A58AD9A34C48A73221C7A68F4B75A7A
            SHA-512:3BD0C22B162B762B068305DCD68517A964DAD1D6B72A9997D915E2F41ECBB6790843C49D23D0298D909C277C28DAB33F75E90F00D313C23918DEA1DED9338B9D
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Dj[N...........!..................... ........@.. .......................@............@.....................................S.......p.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...p...........................@..@.reloc....... ......................@..B........................H........R..P...........................................................^.(.....(....sc...}....*:.(......}....*..0..S.......s......o....r...po....o......(....-...s....o....+..~ ...o......o....r...po....o....o!....o....r'..po....o......(....-...(....("...o#....o....r7..po....o......(....-..o$...rU..p.o%.....o....rk..po....o....o&.....o....r{..po....o....o'.....o....r...po....o....o(......E.........o....r...po....o.......o)....o....r...po....o........(....-....(....("...o*.....

            C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_EN.pdf

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PDF document, version 1.7 (zip deflate encoded)
            Category:dropped
            Size (bytes):1814104
            Entropy (8bit):7.9964333511398
            Encrypted:true
            SSDEEP:49152:4EIeQtfQGqGxfBE1rzQyr0cGVuDJek2+h8zDdViD7496w:4EIewvxpsrzbYMJev+h8dVE7w
            MD5:074535A27DB24C6F79877ADA1E73549B
            SHA1:D2B5919672394A580BE149F23A56BC01E7E162D5
            SHA-256:CCF531625A0B3FDDE82C501AFFA757FADA45A8CE0CAF2172BF7589424D39E2DB
            SHA-512:0D3D2C665DC5564B7BBBF5B046E1484B3B0FDB4380DD5796F08E3E7D21FDBC518244C940855F73432E531C6C7C0B062FA181596D6AAE02494FEB0169355B148B
            Malicious:false
            Preview:%PDF-1.7.%......1813 0 obj.<</Linearized 1/L 1814104/O 1816/E 42424/N 47/T 1812996/H [ 540 668]>>.endobj. ..1823 0 obj.<</DecodeParms<</Columns 4/Predictor 12>>/Encrypt 1814 0 R/Filter/FlateDecode/ID[<6305A97AABFBB64397B61CC18B9D39DF><FD1AA00D5DF56347A46B7C6F26A03B74>]/Index[1813 56]/Info 1812 0 R/Length 71/Prev 1812997/Root 1815 0 R/Size 1869/Type/XRef/W[1 2 1]>>stream..h.bbd.``b`Y.$.o... .T.$..`... !..Hh3.....L..K.,..F......................endstream.endobj.startxref..0..%%EOF.. ..1868 0 obj.<</C 663/Filter/FlateDecode/I 686/L 647/Length 560/O 609/S 536/V 625>>stream...+V\...df|.u_!....w.M.@....e..}...t..nWC...?E......K....'1....R..}.w..4R.#.....`J..'f,....v...f{..1Jw..*Rq*...&.y./....D..b.....f.......V....\kU..WmP....q.$.=..+............q[...a".....P.;.....t0..@........?oq.".M.....W%..DK.S:.D.T.R.Ni...-.iC.G..^............L}E..@}F....7$...y.......y.tAz.|...XF.....S.....0...H..Q.7...\xl%G,...!...{..X9..G..!y..

            C:\Program Files\Rigaku\SureDI\Help\SureDI_BasicPart_UserManual_JA.pdf

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PDF document, version 1.7 (zip deflate encoded)
            Category:dropped
            Size (bytes):2429743
            Entropy (8bit):7.997561947592179
            Encrypted:true
            SSDEEP:49152:ySpmkgple0TYYLNeyOntG4SxH5EC22PhSYRkJKi7ha2psad3:yGjglBe7G4SxHQ8h+s2psI
            MD5:D3F7DC394940D24E6A9C11E593FCCCD9
            SHA1:233EDDE422D630F4AE463D818809E07570553371
            SHA-256:F1719FD20E7EAD5F2719948C5BCFBBDA423BB36A7E3523B2B30A75675FE64A7E
            SHA-512:142A5C3A9E806C1D05C614582469B64A12D9F43CF7FD945E1E67FC75F3BAC304DA129E707BB64A0075EC9C8045FEAE21AA9540FCCAFDA820A03AEDE0810E434E
            Malicious:false
            Preview:%PDF-1.7.%......2188 0 obj.<</Linearized 1/L 2429743/O 2191/E 167184/N 48/T 2428576/H [ 576 700]>>.endobj. ..2201 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Encrypt 2189 0 R/Filter/FlateDecode/ID[<91BF8E1883ACCF4296138E484B200C53><BD2149AB91934747A23AB6A5FC785655>]/Index[2188 68]/Info 2187 0 R/Length 91/Prev 2428577/Root 2190 0 R/Size 2256/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``y."...I...4.,>.D2..... 2..D....L..@l.. R..H........!....D?....m.................endstream.endobj.startxref..0..%%EOF.. ..2255 0 obj.<</C 831/Filter/FlateDecode/I 854/L 815/Length 592/O 777/S 688/V 793>>stream.....[.._....kk.'.25L...#P...)L.w>vxF.Z.I..h.4....c.@P..5w.u...!...3..T.......*Hrc.P(.x..C.\b.*..Z[.g.UZ.Q..2........N<ZK.Ia..\.......1...g.-%[d..]..L.,t.py.P..(...|$I*.=o^.{4.it.`.t.<..;..X....N.NL.k...W.\.czK.M...K.....|.,O...y.......y..r[...,rv...,...H.S.\.[..Q....=uU6..!.L.......\....,..vB.ce.....47.....;%.....Q....&.?...

            C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_EN.pdf

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PDF document, version 1.7 (zip deflate encoded)
            Category:dropped
            Size (bytes):3615950
            Entropy (8bit):7.997375763087228
            Encrypted:true
            SSDEEP:49152:p6paZYfYRDE9sHaQsqdVnXiYVucH/Bv5HRFNCAXAtxU9mFnBquE+gx:2YRDE9vqd0YV3XxFnXATZwZ
            MD5:4B81C48BEC774D9CE5E8F87097987B54
            SHA1:4E2821FD1D3BE02643374967C1FE4850FDF52A7F
            SHA-256:02931A26DC6FCBBD64939ACCB949EE6B513F1BF52F4D66EC076C5A6414166BF0
            SHA-512:98E160341A5F9CB04689CC8D7B5C715B19DA9135EE63909366590046DEBFD5596F573B4AF6123161EBD5FBB7CB919175FF23472102EB2308631E73AC0602DE3A
            Malicious:false
            Preview:%PDF-1.7.%......2428 0 obj.<</Linearized 1/L 3615950/O 2431/E 43490/N 93/T 3614420/H [ 576 1074]>>.endobj. ..2438 0 obj.<</DecodeParms<</Columns 4/Predictor 12>>/Encrypt 2429 0 R/Filter/FlateDecode/ID[<49FE2FF05AFD8948B3DEA66269D0BD2E><FC4E8875CE3F734A8CA864EB57B4E46D>]/Index[2428 68]/Info 2427 0 R/Length 73/Prev 3614421/Root 2430 0 R/Size 2496/Type/XRef/W[1 2 1]>>stream..h.bbd.``b`K...7@......,A@.).H........63..Mc`b.......I X...c.......`.......endstream.endobj.startxref..0..%%EOF.. ..2495 0 obj.<</C 1300/Filter/FlateDecode/I 1324/L 1284/Length 960/O 1246/S 1147/V 1262>>stream..MV..p...q.........B_k...T..j..8.6|....9...xZ....wn.?$.....|.d.......n)......0."?8o^`...N....~..7..7'_.._....MkL.T9..v..e...6%.....W~x...^.(...L.-k.........S...-...F^.....Jn..~.../..-..P8...4.h90...M....JrIM..=5..P..f.Pw%......%:^..;.F.6M...<@..Q...$...I..[...j...X..)..6;..&q..B5.............4Z..2..m..M2

            C:\Program Files\Rigaku\SureDI\Help\SureDI_SystemAdministrator_UserManual_JA.pdf

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PDF document, version 1.7 (zip deflate encoded)
            Category:dropped
            Size (bytes):4340908
            Entropy (8bit):7.997874156953643
            Encrypted:true
            SSDEEP:98304:sT5+hb1uaKMc5dSb5VAXA4kDs9pdj4+VAsxRO84Gb:sF+hbZHESlqXA4kDs9Tj4+VAB8fb
            MD5:CAD34F63F627D5C57DE32A0D9991F8B2
            SHA1:00A1C173AE9AF97AC3228EFCB50A1B0612337BAF
            SHA-256:B31D1E5ECE7ABF19646574712E1B2D046B89ADA9E446D468F88A1C841EF1DDBF
            SHA-512:EFFC82C57C2579541F75CE8E5D7263FC37FE5977FB89EDC3B195F26FCF00DE2FE211F469E9719D5ECEAF02B4F143EE8B5D111E57C352A401EEDA5EFCE75FB39B
            Malicious:false
            Preview:%PDF-1.7.%......2905 0 obj.<</Linearized 1/L 4340908/O 2908/E 185693/N 96/T 4339336/H [ 612 1123]>>.endobj. ..2918 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Encrypt 2906 0 R/Filter/FlateDecode/ID[<E95A8659314E044ABC87AFCA57B323E5><A82DF58FC438D64A89F8D6DD033F3312>]/Index[2905 80]/Info 2904 0 R/Length 90/Prev 4339337/Root 2907 0 R/Size 2985/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``.."...I6..4.D.~..;@$.&.L..".A"L;.@l.. R..H.3.f`bd.~....D?....m......./....<.....endstream.endobj.startxref..0..%%EOF.. ..2984 0 obj.<</C 1683/Filter/FlateDecode/I 1707/L 1667/Length 1008/O 1629/S 1506/V 1645>>stream....A...).b..jU.'.....;R...........}.L...;,,..C..p...B9..M.m.It..AgRK....*..2.......%.*...sPJ.O...t..0R.P...;K}....V.BxZn:.G&GT.7.q..|).#...vYy4.......&l....a0._.1:..;2s.z...vO....@......Q..C.>.X.9...B6.$=.DWFI...../.3..I....#^y8.........k ...-R.P..$....5......y.`........".4.50Xp(.`

            C:\Program Files\Rigaku\SureDI\Ionic.Zip.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):462336
            Entropy (8bit):6.803831500359682
            Encrypted:false
            SSDEEP:6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
            MD5:6DED8FCBF5F1D9E422B327CA51625E24
            SHA1:8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
            SHA-256:3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
            SHA-512:BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(....*...0..2........r...p(....}.......}"....(........(.........(....*..r...p(....}.......}"....(........(....*..0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...*rr!..p.{.....{.....B...(....*..0..A........{..

            C:\Program Files\Rigaku\SureDI\License\JP\License.rtf

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Rich Text Format data, version 1, ANSI, code page 932, default middle east language ID 1025
            Category:dropped
            Size (bytes):141609
            Entropy (8bit):4.798670196469513
            Encrypted:false
            SSDEEP:768:v17SjE7U4GDRq7p9S/EEiMCbGgmhqgG1XJ0FviUGLgVCquMqbQWDVZVVBeObSmGM:v1oCygmggG1XJ8QqKDXMOLiE
            MD5:17F697F3144696318ADB03CF92CF21E9
            SHA1:E7617359FDBE67184240C6E2A54081FFC87096EC
            SHA-256:388BD77C90864DAFBB180446C094CC3EC7378FBF5AE49B4DE1AF50AE9A152089
            SHA-512:E86968BFD39746B5C59DA3005B587EF8EFCBF6864E1FD99B00868AD94BD54C28ED423DC1CE8B24C5200D71A7B5E5F0E1000F38BD723F13F030A87C89B309364A
            Malicious:false
            Preview:{\rtf1\adeflang1025\ansi\ansicpg932\uc2\adeff0\deff0\stshfdbch11\stshfloch11\stshfhich11\stshfbi0\deflang1033\deflangfe1041\themelang1033\themelangfe1041\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}.{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}{\f11\fbidi \froman\fcharset128\fprq1{\*\panose 02020609040205080304}\'82\'6c\'82\'72 \'96\'be\'92\'a9{\*\falt MS Mincho};}.{\f15\fbidi \fmodern\fcharset128\fprq1{\*\panose 020b0609070205080204}\'82\'6c\'82\'72 \'83\'53\'83\'56\'83\'62\'83\'4e{\*\falt MS Gothic};}.{\f15\fbidi \fmodern\fcharset128\fprq1{\*\panose 020b0609070205080204}\'82\'6c\'82\'72 \'83\'53\'83\'56\'83\'62\'83\'4e{\*\falt MS Gothic};}{\f37\fbidi \froman\fcharset0\fprq0{\*\panose 00000000000000000000}Osaka{\*\falt Times New Roman};}.{\f38\fbidi \fmodern\fcharset128\fprq2{\*\panose 00000000000000000000}\'82\'6c\'82\

            C:\Program Files\Rigaku\SureDI\License\ThirdParty\ThirdPartyPrograms.txt

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:ASCII text
            Category:dropped
            Size (bytes):860
            Entropy (8bit):4.894048886726961
            Encrypted:false
            SSDEEP:24:H4jNfTziTJQeHkdW3tR53t4mPK0PtnkOPEB7uGM:H45fTz9HE3V36d0lkqo7uf
            MD5:AB61FB2B4C132810ADFC69E9F62398F7
            SHA1:904FA718F81F9247CF5FEB9CA4CA69CD9836A76C
            SHA-256:143BD440FE8E11EE8FCE0377F0BC1B7BF2C423C32A7AAFCFC8BC518F31A93470
            SHA-512:FEEA19AFBCF0BED493C1B99485D07C7EC9D9CBD012509FCEB1D1B080AE5B0BEB1B3BE5121744BC6DF10B2074B2CFA74FE38B35153FAD06E3DF621BEF0E5297CE
            Malicious:false
            Preview:This third-party-programs.txt file applies to the SmartLab Studio II and related software..The following third party programs are included...- Patterns and practices Prism (http://compositewpf.codeplex.com) : Apache License 2.0.- Patterns and practices Enterprise Library (http://entlib.codeplex.com/) : Ms-PL License.- Patterns and practices Enterprise Library Contrib. LogParser. Modified logging block extensions. (http://entlibcontrib.codeplex.com/) : Ms-PL License.- DevExpress library (Developer Express inc. http://www.devexpress.com/).- Math.NET Numerics library (http://mathnetnumerics.codeplex.com/) : MIT/X11 License.- DotNetZip library (http://dotnetzip.codeplex.com/) : Ms-PL License.- SlimDX Library (https://slimdx.org/) : MIT License.- Intel Threading Building Blocks (Copyright (c) 2018 Intel Corporation.) : Intel Simplified Software License.

            C:\Program Files\Rigaku\SureDI\License\US\License.rtf

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Rich Text Format data, version 1, ANSI, code page 932, default middle east language ID 1025
            Category:dropped
            Size (bytes):151079
            Entropy (8bit):4.822439387914921
            Encrypted:false
            SSDEEP:3072:lQDbB3BKh2v8MXTQdEBX/0miVrF4sH5PU:cbZBKh2v8MXTQdEBX/0miVrF4YRU
            MD5:9F04F6330FCA898A22F42688C5F418EF
            SHA1:6CA02C09BD538A7CDEFB72F1B971840DC8EEC741
            SHA-256:B6FCDA2575BD14517B3D7FD410791A7991E6C67A0ED3B686AD840CA9FA662C35
            SHA-512:D143AD9E635173F1E4413FC00FCCB332AC9CA4D315BDE1CA0AC3C132F4451C2BE414DA21B24126899C2B023EAD5C180F89D7CD3EB0ECD35D4159F77C39B2B751
            Malicious:false
            Preview:{\rtf1\adeflang1025\ansi\ansicpg932\uc2\adeff0\deff0\stshfdbch11\stshfloch11\stshfhich11\stshfbi0\deflang1033\deflangfe1041\themelang1033\themelangfe1041\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}.{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}{\f11\fbidi \froman\fcharset128\fprq1{\*\panose 02020609040205080304}\'82\'6c\'82\'72 \'96\'be\'92\'a9{\*\falt MS Mincho};}.{\f15\fbidi \fmodern\fcharset128\fprq1{\*\panose 020b0609070205080204}\'82\'6c\'82\'72 \'83\'53\'83\'56\'83\'62\'83\'4e{\*\falt MS Gothic};}.{\f15\fbidi \fmodern\fcharset128\fprq1{\*\panose 020b0609070205080204}\'82\'6c\'82\'72 \'83\'53\'83\'56\'83\'62\'83\'4e{\*\falt MS Gothic};}{\f37\fbidi \froman\fcharset0\fprq0{\*\panose 00000000000000000000}Osaka{\*\falt Times New Roman};}.{\f38\fbidi \fmodern\fcharset128\fprq2{\*\panose 020b0600070205080204}\'82\'6c\'82\

            C:\Program Files\Rigaku\SureDI\LocalSQLserverSettings.exe

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):290304
            Entropy (8bit):5.370722274479681
            Encrypted:false
            SSDEEP:6144:yWjhfR7PA9QWY+0dYHCbDqfZeFIWv5pWmoxc0BVOjhfR7PA9QWY+0dYHCbDqfZe0:VjBR7PA9QWY+0dYHCbDqfZeFIWv5pWmO
            MD5:811CD39FC1B385B39486C6597C243E32
            SHA1:9D9EF09F4221B948396621D560F157533F6FD83C
            SHA-256:40A347BAAD5D58CD9C42E96CFA27DCAD8ED574C1EE1044664DED3CAD76015997
            SHA-512:B5280B17379DF11C77751B8A9139E009167F42255BD66BC0D998190ACBF39F803B621FE1A8440F7BCD09206DEE520BBEE94E4B83D3625D270A091C2DDA930A2B
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."c.........."...0..X...........w... ........@.. ....................................`.................................Xw..O................................... v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............l..............@..B.................w......H......../..T...........HN...'..........................................6.(.....(....*...0..f.......(....-1.{.....o.....{.....o.....{.....o.....{.....o....*.{....o....~....(....,.r...pr/..p...(....&*.{....o....~....(....,.r;..pr/..p...(....&*.{....o....~....(....,.rg..pr/..p...(....&*.{....o.....{....o....(....,.r...pr/..p...(....&*.{....o.....{....o....(....,.r...pr/..p...(....&*~......{....o.....~.......o....,.r...pr)..p..@(....&.(....*.r/..p...(....&*..(....*z.,..{....,..{

            C:\Program Files\Rigaku\SureDI\MathNet.Numerics.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1643008
            Entropy (8bit):5.852673179257523
            Encrypted:false
            SSDEEP:24576:WLGe/Gcxu2K5mqRnYCyTc3ixL7dy8A+DLha1r3hl:w/ZxKmqRn21I
            MD5:C02F440920E1DFA32F062CA4A953DDC3
            SHA1:84898CBD3D171B74DF61E5C431ECCFBFF20DE6A7
            SHA-256:2F9B7E2E4A71DBC5950ABF96A09E9241E10DBEEF7DA9479D0690D013FB73DB8B
            SHA-512:5ED1D21D70798EED6DE14E9FC707ADB4E9D140CB77D3A2499F555D32BE3D0A5AD33FC4BB94684CB7124A3CF124466CF35C8B8A6BA1B0CED1B356ED9A370002AF
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0................. ...@....... ....................................@.....................................O....@.......................`..........T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H........_...............L...2..........................................>......i.Z(V...*>......i.Z(V...*6......i(W...*6......i(W...*...2...2...1.#........*#.......?.(......Y(....Y(X...X(Y...*r..2.../.#........*.l.l(Z...*"..(....*....0..X.........2...2..-...1.#........*.-..-.#.......?*#.......?..X.Y(.....(....Y..Y(....Y(X...X(Y...*..(....*.0..6........./.r...p(....s[...z..t......+.......X....i2...(...+.*...0..D........%-.&(.......i.Y.+,...Xo\.......e.........e....e.......e....

            C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Common.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):334648
            Entropy (8bit):5.452971385632559
            Encrypted:false
            SSDEEP:3072:YruHKLs3lXqh91pAEGn962ebvKQkOTuBuyRRc/Ik5GqsXJcr64z61ViJXKXROi2v:MuHRwBGnYpY9XJ461ViJXKNlsTjiK
            MD5:AA40837CE829F94FDD1BACCDE898B3BC
            SHA1:4F72BF430ADD89A0F5047B7009F4206F3AA87DDE
            SHA-256:CB0153495092CAB9BB80803C51B25F00A550DEAE28B35007C60888DBC1529673
            SHA-512:B6E766F8912A85FB42E13A678CA0B46CB10A0DF036463715FF91F8CF6978885D54241FA52125E649D40E362B1023E30752E6451808E82AABECD43385D8F3368B
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......K...........!......... ........... ........... .......................@............@.................................d...W.......................8.... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):52024
            Entropy (8bit):5.131025044127365
            Encrypted:false
            SSDEEP:768:29MdeNxw5NaC2M8NH2kh/NwVZvo7AMz70:2Jjw/aCxihlw/3
            MD5:A8D9F1132116FB3FB4A23371E5994663
            SHA1:7B9D5EAB8F9ABB6018BC0C7B5186C5108CC1B31B
            SHA-256:872CA3A80173B2881FD8CEDA692CA1A5D7122FFBE876CA9D5BB42CA78DADD336
            SHA-512:9D6C5FFE4D8537EA8AD36105D90728DEBC3BDDE8066D2CC4859C4F57BEB841046F613F3EB899D92FF28DDF34F822EEA4DF66BE5C87ADFE82E8219C82C47DFE7F
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......K...........!......... .......... ........... ...............................m....@.....................................W.......8...............8............................................................ ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):146232
            Entropy (8bit):5.311002534601883
            Encrypted:false
            SSDEEP:1536:ytdd41Ru9M4D5WW/g5wBn3Kb07xXxYt5F5tjqW8nbcJj4JByT0RFEmmmmm5PBFkJ:qd41Rtm1453sbxRummmmmGL59rjV
            MD5:FEAFE7321EC1037E64171312C6538B24
            SHA1:381F2E36C86F5B38E99458B7A604D6824E1AA629
            SHA-256:CDC82204BFD37DD57F22AD65A65629C5DBDF82F65591EC351852982FCDB1C8EA
            SHA-512:6CC42285C501244A4B9C95C1826282CC758197ECC002AB6C2FDD9DCF69E90A4E6AEFCC775EA1855283DCA80806A511B9044F1D71439ED3360AD6105CAECBF805
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......K...........!......... ........... ... ....... .......................`............@.....................................O.... ............... ..8....@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.Database.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):56120
            Entropy (8bit):4.7965398699122055
            Encrypted:false
            SSDEEP:384:lv2T9bm5EAlV7KbJ8JVmyK5NT7EYEY76SOelmZIrGaqiZ6ZoU1svt4lJArpBSZ4x:pNJS1r59iF7wpX3CsBRAHc
            MD5:89EF15CFC1A20CFB8E5A4F17B1ECBA64
            SHA1:FAEC98B3701876EFE19BE936B2939BCCF7AA4FEF
            SHA-256:0533189CCAFEDBE1999C1526A6ADE81D5A963792258544F10DB0B82541ABE652
            SHA-512:E9BB57740345BA3D38049F5B1DD3980EA7FC1D9013C6303976CAAEB215F15DC626261229339726824F8E3A80FD98DCA7E48CE2807001C498C077A387776F084D
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......K...........!......... ......^.... ........@.. ...............................Q....@.....................................S.......8...............8...........D................................................ ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\Microsoft.Practices.EnterpriseLibrary.Logging.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):502584
            Entropy (8bit):5.399515548682692
            Encrypted:false
            SSDEEP:12288:Wqx2fFTAS8CIm/QRMz6PVJH+UQ/Ze6Z3rF:W+2dTAPhxMP
            MD5:FB1D92CA90E12AB53A413D364C80287D
            SHA1:CC2A81236B4714F2F2961A7751426BB610EC9FCF
            SHA-256:6F785C20EAE305A430D1BFC358D8A54B3A218238FD3A444CA29ABA1E77108FA8
            SHA-512:886125AF6358D3F470BDE3445D944EC2C94D1144C3E7407DBE45EA32ADF0E5EE2A32DC8397025BC06AAF3E7B04A5201BD0791B2FF0E87A817C6A48BC4C8CEC4B
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......K...........!.....`... .......r... ........@.. ...............................x....@..................................q..O.......................8...........0q............................................... ............... ..H............text...4R... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.Interactivity.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):14648
            Entropy (8bit):6.3283029585534205
            Encrypted:false
            SSDEEP:384:cD85co+ianKPwMWKR+SSnvpBjTeajCjdlE74:HT7SxAHC0
            MD5:2C4026891162CA400E69AD7F3C746B88
            SHA1:1E9EE4D7F5D13496794CD636B9D734E23DAA3C82
            SHA-256:2690F68234057E01A0E0AF4490ECEE4A7206B11D91443336C0780DEB9896943F
            SHA-512:E1820FE92351DEEB08C62B67A9D54480EBC2B5601A49252BF4FAB75A07CEBBB0FD21C27CC10AB12AC9B7B39332C5F3DF435CB490A8C1200D2DFE74818395D69E
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%..L...........!.................3... ...@....@.. ....................................@.................................p3..K....@..X...............8....`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................3......H.......h"..H...................P ......................................?..}...V.awj.....I%.8....#.A....B.N .Y.s..nvw.....3L....LT.0./.F.]...>~......TeRn...o...$Iq..c..?.#].zY.........nB^$EO.w.ImM..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..(....*..0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*.*...~....-........s.........~....(....*..(....*J.{.....{....o....*.0..I.........s.......}......}.....{

            C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.MefExtensions.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):39736
            Entropy (8bit):6.148154510900434
            Encrypted:false
            SSDEEP:768:FTVS1yKewc8S1huAzEUUWibHMVfQ+t9CPODSxAI9:n8IhuAzEUUWiLNPOOl9
            MD5:1C4B7B8B9CD1C6672016FE5220C6F41F
            SHA1:2E76A7D17655AD7068120191D9D8F1B6FD497736
            SHA-256:51B59720C5AEFEF16BC277E8AA4810DA540EA3C976A44D4A42AB0FE3A3915ABC
            SHA-512:B36A942516C29CBEB6B2143CCE7135BAF60E88BC1F3EFF00BA8193220063BF042C7F12A65E6928C69ACB7DB9258511F0B9A1B1097666DF6C3AE663046128DABC
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......L...........!.....v.............. ........@.. ...............................)....@.....................................W.......`...............8........................................................... ............... ..H............text....u... ...v.................. ..`.rsrc...`............x..............@..@.reloc...............~..............@..B........................H........9...Z...........0......P ..........................................a.?v..FYgG,,..8..niO......s.R.s3......*X....r..S.._U..._sd0.x.E..GLHE..D.pn.....]..W...,...,.0..ss.H%.A.3.P........0~.0..*........-.r...ps....z.(......sG.....o.....o.....*...0..........s.....(......o....o......8......o......o....o......8......o.........o....o......+S..o........o....o......+#..o........o.....o.....(....-....+...o ...-.....,...o!......o ...-.....,...o!......-...o"...-...o#.....o

            C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.UnityExtensions.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):24888
            Entropy (8bit):6.029483799774741
            Encrypted:false
            SSDEEP:768:TZxxU4XxnVGejkcimobDh+th+h75SxAfjY:TZQAkcimo7h7IJ
            MD5:303F5E0604144B4D58E16AE4E1F28D6F
            SHA1:7B90E7F2579FDC618FDB207EF95EF104FD3A7939
            SHA-256:01762C0060C3A080C3F99C6B7B8574643A904B360BE2BD006484B3E00BE0CBFF
            SHA-512:2DA9347D0871A35B5B14BA1F669FAA4E34BDF5783B0949F3CF9F2FFA74DBB06B019387114A4F4F9453561E2BBAD80C745765DEDAB95EFA842A529053EFA1643F
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......L...........!.....<...........[... ...`....@.. ..............................3w....@.................................L[..O....`...............F..8............Z............................................... ............... ..H............text....;... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............D..............@..B.................[......H.......d2..$(...........(......P ............................................n...Z.q!.:.Y..i...1.0B....H...^..~./i.^..*..5J.D.b.....p..!....63...-l....y...x..FM..l?j.4....u..Ur..'Y>..Bj.-q......(....*.0..3.......~.....(...., r...p.....(....o....s...........~....*.~....*.......*V(....r...p~....o....*V(....r...p~....o....*V(....r...p~....o....*V(....rW..p~....o....*V(....r...p~....o....*V(....r...p~....o....*V(....r...p~....o....*V(....r7..p~....o....*V(....rc..p~....o.

            C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Prism.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):150840
            Entropy (8bit):6.079874804465881
            Encrypted:false
            SSDEEP:3072:yAUqFaY713T7NFf0KXMeq93yuutsJ7g7wbT:yGB3TBFf0K8eqhyTtsCiT
            MD5:2A532749F77D7EF8C54798B5C5D4105F
            SHA1:2E73508B69D5FB8A8C60A19A4155703C18255AFE
            SHA-256:F1043059A9A6630D152BB6A56EFFB3F1E295546AB4CF791487762571866B740F
            SHA-512:CC607232DB9E354C6728A9D150A111FDAC8CA6F5A0AD3BB644B72B3336F6C39836004EEA06DDC7DCF7BC1B30CAC72A3D7F83AB2D7217AD4CD409B6E8BA1F0518
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......L...........!.....(...........G... ...`....@.. ...............................3....@..................................F..K....`.. ............2..8............F............................................... ............... ..H............text....'... ...(.................. ..`.rsrc... ....`.......*..............@..@.reloc...............0..............@..B.................F......H............d...............&..P .......................................c.E...1.,.g-..G....B^.6.......N".]...S:....Vz.v.....G-y^....w...#..T.5./..ZU.....b..k...f.u..\w.ox ..Hq.j....d.../.E@.....{....*"..}....*..{....*"..}....*..{....*"..}....*.s....*"..o....*.sG...*.*B.h...(*...(....*....0..........(+...o...+..o....*...0..^.......(+...o...+..,N......(*...(+...o...+o..........(*...(+...o...+o..........(*...(+...o...+o.....*...0..........(+...o...+..,~.r...p.P...(*...o.

            C:\Program Files\Rigaku\SureDI\Microsoft.Practices.ServiceLocation.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):29760
            Entropy (8bit):4.841427370418328
            Encrypted:false
            SSDEEP:384:VRM1TlGyz9AswQyUPbKyXH/VUdlW+I2WKnELKt8Cu1jyUw:VkTlGI2IOdmLU8Cu1jyUw
            MD5:6DF78BB163D443D95B21F58808320AF7
            SHA1:A0263EC61435D1EE4C18A92A06AC3EA2C42EB730
            SHA-256:79E7BE6BE7509A1A5263F0292F1462A57744A7C52C4DA6475C70A5054D08C327
            SHA-512:D10510EC52C57061AB8C516B30B6FDC1A4602DEF69482EE0E230E1A161D7A08CA98280BA71478668C36C541D4EF944B17132DB46A8D7298DD1F4749ADD61D372
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......H...........!..... ... .......?... ...@....@.. ..............................."....@.................................`?..K....@...............P..@$...`.......>............................................... ............... ..H............text........ ... .................. ..`.rsrc........@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.Interception.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):125752
            Entropy (8bit):5.771757959165738
            Encrypted:false
            SSDEEP:3072:P/W6kPbS0eW8v1dvP2U/rlzHb03AAC7/Klll:3QjxMzDlf037Vl
            MD5:D5911921E2EF61B6FA1BEF2D3D81965F
            SHA1:96216000BB5EEFAEDD27869142B8574B5BD5F3C8
            SHA-256:79EC0B9B9752FE63C0C37BC4217C2E7D9EA33016107E3870D5E61889EB8CC3E3
            SHA-512:362AC4B8E8E7C07E9D0F6A8E9636021AAFBF1A0D721ADE9B4F2F31CF451115A3678A59AEA01ACF9B44BCEE57F9001129CBE10489030DC9731495B8394ECD6C77
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....K...........!......... ......N.... ........@.. ...............................j....@.....................................S.......................8...........L................................................ ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\Microsoft.Practices.Unity.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):133944
            Entropy (8bit):5.698746356257478
            Encrypted:false
            SSDEEP:3072:vKVWBUDXdJ0GtRYqM5Axnnnn9Z03IuSsxiNuK3iAkmWm:vKVqUTftKZGxnnnn9aYuSsYviAk5m
            MD5:B69C180AD707913247EB85EE2E6E3D16
            SHA1:E8B66A9F9C41C3802541029DDEB22F7E591F6343
            SHA-256:201655CD2F641AC05E450FB03CE763AFBC5E859D6CE1A25AE7FEF3C27A2EE39A
            SHA-512:E81EAA13FC01FFFDF88AC12B4EA0005B59DE0BB9F64F51F4FB7C2148F430FF530377E64EB5448232EC22304C1321001582ECDDA6686FF76B9FB80B32614A8A8A
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....K...........!......... ........... ........@.. ....................... ......l.....@.................................h...S.......................8............................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\MonitoredUndo.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):18432
            Entropy (8bit):5.248776851938312
            Encrypted:false
            SSDEEP:192:o/x7eyaNAcIX7aPvyMv+0NEl9NIw61zd04RhF/Qa5tKBuwb+tkxWZcyqHuEPBLrt:oeyBIaQMfEvF/QaEitkxWZTsuEPBQp+
            MD5:A69EDACC3092429FE3E5132F2059EBB6
            SHA1:406F229E53C4469E3344454B7F9AC1B31105017E
            SHA-256:BA8D86161CD69B21BE70368A2A2BDCEE76717DB1A57D58490F76938E65662E92
            SHA-512:41DB476CB0E3B51974F84E2DB20EE8289ADBF98E68B757B7929890A1993A6A94BFA98572815BB84A80E4C6D00E2A6B2096AE82FFE55919854857063C4285DB70
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O...........!.....@..........._... ...`....@.. ....................................@.................................\_..O....`...............................^............................................... ............... ..H............text....?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............F..............@..B................._......H........2..D,...........................................................0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*..(......s....}.....s....}.....s....}....*..{....,..{....o....,..{....o....*.*..{....*..{....**.{.......*..{....*..{....*>.{....o.......*>.{....o.......*...0..M........{....,.*.%{.....X}.

            C:\Program Files\Rigaku\SureDI\Newtonsoft.Json.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):675752
            Entropy (8bit):5.942794049319361
            Encrypted:false
            SSDEEP:12288:rktg1lrjC8rjICqbwNjR4xq7iiX19K7Df/SoOKQrIB+jfP:rggD7PIEjR4xq7iiXTK7D3So9AIB+jn
            MD5:4DF6C8781E70C3A4912B5BE796E6D337
            SHA1:CBC510520FCD85DBC1C82B02E82040702ACA9B79
            SHA-256:3598CCCAD5B535FEA6F93662107A4183BFD6167BF1D0F80260436093EDC2E3AF
            SHA-512:964D9813E4D11E1E603E0A9627885C52034B088D0B0DFA5AC0043C27DF204E621A2A654445F440AE318E15B1C5FEA5C469DA9E6A7350A787FEF9EDF6F0418E5C
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..&...........B... ...`....... ....................................`.................................hB..O....`...............0...............A..T............................................ ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................B......H.......d{.......................A........................................(....*..(....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{W....3...{V......(....,...{V...*..{X.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+&.{W....3..{V.....o....,..{V...*.{X.....-....(....*....0..H.......

            C:\Program Files\Rigaku\SureDI\PdfSharp-WPF.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):558080
            Entropy (8bit):5.840403523225508
            Encrypted:false
            SSDEEP:12288:31M21M7iQBQjmgSxliLsP6L8gaKnVGys9IQlEbmcP:SBsm+sPWXBnhs9nlEbmc
            MD5:3EC92499E198BB470579F384E8B36F01
            SHA1:8221B7B33C55FA6683EB1CC44437964DD2CFB491
            SHA-256:D8A7325B3CC5C1A2E8DBB564EA4500473DA5B4666D8F11F18131DDFDC4CBB35E
            SHA-512:77C3933BD8720319B679729A0A709CE8E6BF10DE6DF6EA9A450894AF4FCB74665A37EB3593DD8D1DAA9FB762E9D333002244EFD282837D7745FE1AD8A12F2C6B
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....UXQ...........!.....z............... ........@.. ...............................I....@.....................................K.......p...........................P................................................ ............... ..H............text...4y... ...z.................. ..`.rsrc...p............|..............@..@.reloc..............................@..B........................H...............................P .......................................^.....,..,..q.aZc..H2u...`b.....G..(OE.gTW.K.........(.\E...9M......i.!..65w..A]KO.I..9.....E.I... .....|>GP...z..N,.L..V...{....*"..}....*2.{....o4...*2.{....o5...*..*2.{....o6...*2.{....o7...*2.{....o8...*.r...ps9...z.rY..ps9...z.r...ps9...z.r...ps9...z.r[..ps9...z.r...ps9...z.r...ps9...z....0..p.......+H.{.....{......{.....io.......16.(....,...{......(.....{.....{......o:....{....o....,..{....o..

            C:\Program Files\Rigaku\SureDI\PdfSharp.Xps.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):133632
            Entropy (8bit):5.79125061622387
            Encrypted:false
            SSDEEP:3072:aOCZ2TF4HG1LJ+sbSiGQkkw2Uq1m1d0HzaKaBd4eR:mmb+ew2sSAd4e
            MD5:27FF9D3960EB4E069C6AAC296AC97257
            SHA1:D16F63218C49BA7E53F25A66A59576065B3797A7
            SHA-256:C3AFDF6F3AD8AB4BD6531AEA9BE7FADA9D58E7645C6CD15737D14CD51BAED00A
            SHA-512:A669E91C8924D0621F3F137A9B597A66DF2511993E7FD9D027F44B2FB24B2E56356ACA964CBBE02C592AC20ABE39FE2269FB7005675BEBDEC1F45AAF665DC62E
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....UXQ...........!.................!... ...@....@.. ...............................^....@.................................. ..S....@..p....................`......$ ............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................. ......H.......P.......................P ......................................T4..R.P.....=.7..E.W;'5.}.v.}8n.pi*;.2... .H....:.A}/..C..b.....,.lV.9\E..)..48.....do.;...Bz.s@..#z.....G.L.....<....#Ci..(....*..{....*"..}....*....0..1........(.....+..u....,..u.........*.o......-..........*..(....*..{....*"..}....*..(....*:.(......}....*.s....z.s....z.s....z.s....z.s....z.s....z.s....z...0...........{S.....E........M...+n..}S.....{T...{....oo...}U.....}V...+:..{T...{.....{V...o

            C:\Program Files\Rigaku\SureDI\PluginsCatalog.xaml

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1512
            Entropy (8bit):5.089821689937993
            Encrypted:false
            SSDEEP:24:2dm+4+4M+N2soX7qRqO7BAhqAegA4DSkIDpgvTQEg36YInQoVtggtBt1Oni5dggs:cmkmkfqRqO7Vc54qQfLiQeX/2M0Tt
            MD5:FB1D7F9A341AACB1325DCCE7A7449330
            SHA1:8D7E191B8814FF86A9AD239304907202997DAE0D
            SHA-256:C84A83B3D0FD6BB80EF91E7AF639E48CE5BF8B6EFE6ADA3241D574DC8148D24C
            SHA-512:0B988AB9A00415B3612866EAD09D95C5BDFC75747631028D062E542C461195B430F3D3E889A379D908AD8E7621E8B9E43E830FC0D69A478014308D3FCAD1B3B0
            Malicious:false
            Preview:<?xml version="1.0" encoding="utf-8" ?>..<Modularity:ModuleCatalog.. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml".. xmlns:sys="clr-namespace:System;assembly=mscorlib".. xmlns:Modularity="clr-namespace:Microsoft.Practices.Prism.Modularity;assembly=Microsoft.Practices.Prism">.. <Modularity:ModuleInfo ModuleName="DBDataService".. ModuleType="Rigaku.Services.DBDataService.Service, Rigaku.Services.DBDataService.v4.0".. InitializationMode="OnDemand" />.. <Modularity:ModuleInfo ModuleName="ReportingService".. ModuleType="Rigaku.Services.ReportingService.Service, Rigaku.Services.ReportingService.v4.0".. InitializationMode="OnDemand" />.. <Modularity:ModuleInfo ModuleName="Launcher".. ModuleType="Rigaku.Plugins.Launcher.Plugin, Rigaku.Plugins.Launcher.v1.0".. InitializationMode="WhenAvailable" />.. <Modularity:ModuleInfo ModuleName="Logging".. ModuleType

            C:\Program Files\Rigaku\SureDI\Rigaku.APF.Materials.v2.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):52105216
            Entropy (8bit):3.9350595980529075
            Encrypted:false
            SSDEEP:6144:Mhmc+PrJbGg4s9Sm8r/oSMDFXJzfAFanTCb88r/oSMDFXzbfAm:eZ+VkwLDFB1xLDFf
            MD5:4B072CE290A92A715130B5EA137496F4
            SHA1:1EBD8CDEB73A9863161AB34DF2BAB08AEA09BC55
            SHA-256:EA5349B1E2686DF5CB0A2C27BA99B4294905C674CC95797041E54A035D24C0E8
            SHA-512:E8AC0A0F0E9E238746AB9A0688B6E208085695A2EC23D1B020032AF38C6A363BD75E5691124EBB6760198969157326CE1867F3C1DF2B6A9A76CAF0208ED0D6BA
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bE@`.........." ..0..............$... ...@....... ....................................`.................................`$..O....@..\....................`......(#............................................... ............... ..H............text........ ...................... ..`.rsrc...\....@......................@..@.reloc.......`......................@..B.................$......H.......................8.... .............................................(V.....{....}......{....}....*..#.......?}.....#........}.....(Y...*..#.......?}.....#........}.....(Y.....(....*.0..G........#.......?}.....#........}.....(Y.....(V.....(Q...}.....#.......?}....*...(V.....(Q...}.....#.......?}....*..sZ...*..0..j........r...po....,...r...po....(....}....+...r...po....(....}......r%..po....(....}.....rS..po......(T....o....*...0..E........rS..po.....r...p.{....(....o...

            C:\Program Files\Rigaku\SureDI\Rigaku.APF.MathA.v2.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):173056
            Entropy (8bit):5.860059976920095
            Encrypted:false
            SSDEEP:3072:EQ67di+RlHRq3lFqI2HpLMsAG0xTei4OvNuKXchf7oYNZ2EOPbgrAXtoU:Ez7di+RGTqI2HpLdRi9uKXchzoYN68rA
            MD5:8FDC35684DD917444D9195EE8F192FC1
            SHA1:3768F5911A14CF1B31D9F371BCA458956B589E4A
            SHA-256:7456604CDA3686A2F58653825D680EFAE97EAC1C47280FD149EFD924C4AEB3E2
            SHA-512:E57D978363254322CAD32DC8AFFC568F2AAEA20BB6647B383E45779B5A0B47CFD8A516F992C51F180D567FD74F0957D2E9BDDF5F4C0F2B3C8EB1093EBB116FB4
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\E@`.........." ..0.................. ........... ....................................`.....................................O.......x...........................x................................................ ............... ..H............text...0.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B.......................H.......Lu..$...........p....#..........................................6..(....(....*2.(....(....*..0...........r...po......r...po.......2...1...1...X...Y.Y.+.#........#........s....*...o......J...%..,.o.......u........-#.u........-.(....o .....+...o ........i.3.......o!.......("...........o!.......(".....+ ...i.3.............+.(....s#...z...($......($...s....*z~....-........s%........~....*z~....-........s&........~....*2.(....(...+*2.(....(...+*.0..o........r...po(....r/..

            C:\Program Files\Rigaku\SureDI\Rigaku.APF.Sample.v2.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):157696
            Entropy (8bit):5.79436498400138
            Encrypted:false
            SSDEEP:3072:Neq2sb5HnVFDNdWNTrOrAtI8POihWiU1zVzeMAxyZe8PmlNJLyLOtl:NZbvlNdASzVzeMAwe8+v
            MD5:7BEB1DE68D443C5F30D786F91EEF5BDE
            SHA1:7EB713DF207F19F00172BC9C9545DD84827FCC5C
            SHA-256:B86086AA451AB2D08794E4E5AC01E614356C600AB7310F15BFEDA145BBBDB0BB
            SHA-512:B106E4D7ADD17CA54123E2E1EE0A18707185C9CC5FE787CDD1D06F75FF5896A37C6BEEF3299EA84D021D0E01C3C3912DF3092AAD3156E6D70A0181B776741076
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...hE@`.........." ..0..^..........:}... ........... ....................................`..................................|..O.......P............................{............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...P............`..............@..@.reloc...............f..............@..B.................}......H........t...............t................................................{....*"..}....*..{....*"..}....*...0...........#........#........#.........s....#........#........#.........s....#........#........#.........s....s....}.....s....}.....(.....r...p}......s....}....*..0...........#........#........#.........s....#........#........#.........s....#........#........#.........s....s....}.....s....}.....(......(....*..{....*..0..`.........{....o....te...}.....{....-...o....s..

            C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressMath.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):316928
            Entropy (8bit):6.471278682268752
            Encrypted:false
            SSDEEP:6144:BShSiInMADKHrxXfr7bat+/AG47maovIYn4KHJY:BVio1KLxTytKHJ
            MD5:854A00D1F7F7F516A9D8D2903A1636B9
            SHA1:59B2621ECACCB0D49E7C43388A5BF1A417A62874
            SHA-256:2A824097B28FD80615EF03D98A1ACEF15E335C6E216461CEC109C360D285618F
            SHA-512:5A40E46404725DFB4A8FFD2F3CFFB6245565F7493A3F7DC64C1E973F6F54AA049E72CF351E157EF24E186CE97EC7EE5AF2FF5E9B0E9DC845BF8D9DB5DB34BEC9
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...v...v...v.....P.~...-...t......s...h.P.t...v..........o......q......t......n....<.w...v.T.w......w...Richv...........................PE..d...kE@`.........." ................r"....................................... ............`..............................................................*......d...................pV..T............................V..8............P..............pT..H............text............................... ..`.nep.........0...................... ..`.rdata..L....P.......2..............@..@.data....... ......................@....pdata..d...........................@..@.rsrc....*.......,..................@..@.reloc..............................@..B........................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\Rigaku.APF.StressModule.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):164864
            Entropy (8bit):5.954263246105241
            Encrypted:false
            SSDEEP:3072:yhCDllxEu6v8mitYSqtddN+DTpw3P8wmqV59YVMl0e6YOmBanHTjfjESkZIVp2zI:yillxEu6v8gP5NT6Y5a0
            MD5:E88FD4A366499F0FB0310104D5B8A292
            SHA1:27F1B1801EFCD7A6745607E60BA5C45616714C8B
            SHA-256:30E8C8A3A00F98540389FD1832F47FC7030E8732523BE889818EB5D756EF231E
            SHA-512:E7F1B425CAB11C95E9CC6B56BF6F7161F7152828901C9812383B24A30790E39A834F5EECC3653A65CB9ACCCF3465E362F411E5631972F1949DC26EE2E308EC6B
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nE@`.........." ..0..z..........b.... ........... ....................................`.....................................O.......t........................................................................... ............... ..H............text....x... ...z.................. ..`.rsrc...t............|..............@..@.reloc..............................@..B................D.......H........C...C..............@.............................................{....*"..}....*..*j..o....o......o.....o....*..o.....o....(....,..o......o.....o....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*....0..U.......s1...%.(....o$...%.(....o&...%.(....o(...%.(....o*...%.(....o....%.(....o0...%.o,...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"

            C:\Program Files\Rigaku\SureDI\Rigaku.APF.SystemExtensions.v2.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):48640
            Entropy (8bit):5.365747133489142
            Encrypted:false
            SSDEEP:768:j2MNGNIihCr4xdiFzJB17pNBi4FtV4FILGIDEh9MZUS8UJ2ce3gmeAxprYROaZNE:0Iiw+ErBpjV4WLGuEh6FJ2cizDrYxE
            MD5:2518FCF8B7B3A0CADEBECED2F4131347
            SHA1:23BBA94FC80F667972D1EF09A83947A1EFFB2937
            SHA-256:EDC9E681FFFBF18C8D7004634E7CD6CB1721C34387C2E494CCAA5FE3E4004D36
            SHA-512:20E8A22EF55443E0368B22D3EF82FC03EE52B3A6FE2D72F8E53B0E8AC130FC46221C49DEB70418166CF6C022EBDE8C7EC742ABD5A478900CDB89D51BF140FE68
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ZE@`.........." ..0.................. ........... ....................... ............`.................................H...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................|.......H........F..Hb..........P....)...........................................0..B.......(....o....(......(......(......(......r...p(......(....-..(....&.*...0..L.......(....o....(......(......(......(......r...p(....r%..p(......(....-..(....&.*.0..V.......(....o....(......(......(......(......r;..p(....rq..p(....r...p(......(....-..s....z.*v..(....(....,...(....(....*.*~..(.....(....,...(.....(....*.*...(......(.....(....,...(......(.....(....*.*...(......(....(....,...(......(..

            C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureMath.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):236544
            Entropy (8bit):6.327658033718718
            Encrypted:false
            SSDEEP:3072:rwUSKH9hIF8TCWQ/0PTgFxV9IzOl9mufWxaDO9vj1u9L86mt:8vKdWMY97fWUD8749
            MD5:7CDA1296F50CAD544206FBB1ABB4E1A1
            SHA1:75A0C8BBB6E100C540BE34CBA951B93A458979AF
            SHA-256:4D93A18CB5A82BE8D1F5E3D0C9BCBCC13028F81977A46A33B7AC61A94D10E043
            SHA-512:41819FE95051536A2CFA07A31A5D56140788029FFD7982EC7920F3A60DAD1F91DB0DFB6E81CAADB1BE47BEE0185F81E9BD64378F67197CF27A83B067C39E711E
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jt.2...a...a...a.mia...aU}.`...a.d.`...a...a2..a.d.`...a.d.`...a.d.`...a.g.`...a.g.`...a.g.a...a..ma...a.g.`...aRich...a................PE..d...eE@`.........." ......................................................................`.........................................PP.......V...........2...p..x...............`.......T...........................@...8............................................text...L........................... ..`.rdata...].......^..................@..@.data........`.......L..............@....pdata..x....p.......N..............@..@.rsrc....2.......2...h..............@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\Rigaku.APF.TextureModule.v1.1.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):47616
            Entropy (8bit):5.754961046411888
            Encrypted:false
            SSDEEP:768:TPOp0ThhKbIv5YS7y6lQ/UzG7oxz+8SU3quq4VJqYVgvMFS2i7ftkZ0d5w+XVFoM:TmpDbIhwKz8U5q4VJqYiEFS2iBkKHNVH
            MD5:1F16F94F98413BA778FD304956329E7D
            SHA1:331E5B5DBE3F827D651A9D5EA3861631D173DB87
            SHA-256:E52EB49DC1392C767F4CE2F92E9C35A961F88FB09D808E1E1160FA6EA4076625
            SHA-512:E3D57BC965A6453AAEF5698607009F8D8D6863ABB524B45541AEBF94DD47FB88845CBABE6AC15495A40BCCC6B21937A752DAA5F957913FD9A527D5DAB4091A69
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...gE@`.........." ..0.................. ........... ....................... ............`.....................................O.......x...........................L................................................ ............... ..H............text...$.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B........................H........m...]...........................................................0..4.........(....&#............+.....(.....6.....(........X.....2....+.........[....X.....2...-..................#......mB.....8....#.............+:.........lZ........(....i...........lY........lYZX.....X.....2..(.........1....+..........[....X.....2.........Z......ZX......ZX[......4........o.......X.....{....>H....*.0..........#..............+.....(.....6.....(...........X.....2....+.........[....X....

            C:\Program Files\Rigaku\SureDI\Rigaku.APF.XrayPhysics.v2.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):369152
            Entropy (8bit):5.880827621686826
            Encrypted:false
            SSDEEP:6144:gmXqL7PMtek1aB3rCfJg6KHyfT5WRdCe7rsbf4jr73U:gm6L7PBrQJg6KHuT5WRjMbf4Q
            MD5:41B1BFB668E3AD991653CE655395B774
            SHA1:5245DDB75F27A8245BB22AC4EF3BC3C7389D5567
            SHA-256:F66D9CDEFB4846659A78F1CEC34E5FE8365D191266BDD0A944613C5C1FB4FD05
            SHA-512:4D7302FC2334DE50363E70E2D57DFFB0965030F6EFFB2E225C467C3337D61982D88CED6AABC2EE90AF4C3A2ADF42F4EFE9DCCACDE7183170492C7B1B1E44B8F4
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...jE@`.........." ..0.............n.... ........... ....................................`.....................................O.......l........................................................................... ............... ..H............text........ ...................... ..`.rsrc...l...........................@..@.reloc..............................@..B................P.......H.......4...`...............P..............................................}......}......}.......}......}......}......}....*Z..}......}......}....*..0..y.......#...........+c...[........{....(....#........#.......?.......{.....Y.[.......{.....Y.[(....ilY(....Ye(....ZX...X....i2..*....0............7.........+....-..+&.P~....%-.&~..........s....%.....(...+.#.......A......Y...P.i.-..+..Y..#.............+.........P.......{....X.....X.....P.i2..,*.P.......}.....P.......}.....P....

            C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.Interface.v4.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):41984
            Entropy (8bit):5.67980798831157
            Encrypted:false
            SSDEEP:768:43XuE6gbXJuuMM3xnnJHgHbzovVT2BL7zxYW3pMy7:mX/DAQpKv2lW3pR7
            MD5:64FB9B6D0F9F29ECB18A91B45F40F108
            SHA1:12F2AEE409E2DBC2AF4507B2037E590A1B7DD7F0
            SHA-256:5E44872C1DF7B15CD58E4068532FE8583BA97CF0BA54D590197DD2ED430378A8
            SHA-512:67F92F2FABD9F2F29AC1BBE69551E2F91627CEBA4F049848BB813879ECF9538ED3251F021E064E6F7F746AA2ECD2965C9E0AAE145F1CC875E799283D80DB1FFB
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0.................. ........... ....................................`...@......@............... ..............................................................P................................................................ ..H............text........ ...................... ..`.rsrc...............................@..@........................................H.........................................................................(....*..{....*"..}....*..(....*:.(......(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*2.(....-..*.*.0..).......~......(......(....&.~....(....,..*~....*....0..T........(.....s....(.....s....(.....s....(.....s....(.....s....(.....s....(.....s....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..0..x.........o....s....(......o

            C:\Program Files\Rigaku\SureDI\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):235008
            Entropy (8bit):6.339196242955037
            Encrypted:false
            SSDEEP:3072:BZFYuD60laFUoA4cWaciYEsNHrm/L6SaRIRa9:Xu0lR9svN6/L6FII
            MD5:D38583833B9B2743F91A6499CE823980
            SHA1:9976DC04221775BAB83449DB98DF0B3DCD2FFD21
            SHA-256:5F5FE496D9B3550CC47C49235B1FAF845EB6BEF0DF3A68FDD52D05B5F2FC2CB5
            SHA-512:367711775A7A2842403D6859819D90017D4C555B4BADEBCCB217FE3E46DCD7D440D51058FFA13DE94BC05D84D344EA97451839EFA2700164526179DE362D90E9
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text...L.... ...................... ..`.rsrc...............................@..@........................................H...........x_..........42...x..........................................F.~....(&...t%...*6.~.....('...*F.~....(&...t....*6.~.....('...*F.~....(&........*J.~..........('...*F.~....(&........*J.~..........('...*F.~....(&........*J.~..........('...*F.~....(&........*J.~..........('...*F.~....(&........*J.~..........('...*F.{8...o(...o)...*6.{8....o*...*....0..Y........(+....(:....#......4@s?...%...>...s,...o>...}.....#......4@s?...%...?...s,...o>...}....*:.(......(....*..{6...*6.{7....

            C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Editors.v2.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):28160
            Entropy (8bit):5.609278371751716
            Encrypted:false
            SSDEEP:384:HoP+kDcEyZyPyjsqIZtdPvJ+w5fluS5+upAurpazh+I2Jtsfo9mgWhIEX7UnonxG:ARlOyPylIR35p5+7owo9mNMRg8
            MD5:5A1D46ECF89232FA7DC3CBB7B011CCF4
            SHA1:84DA2DF433AB427D0D93E07DFB0D718E149E8C33
            SHA-256:01ED50C29161A753C16D311B6EF72F763CF678F000EAAC911077652AF5475F10
            SHA-512:438ABE1A21B2E6945AD9CBEC1A506E6CE3E8E76779565959FF43DE9032DB069BD192F20FF180A094E030318058058251126381D63CEA7300B95EEB61E35BD469
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.........." ..0..d..........:.... ........... ....................................`....................................O.......@............................................................................ ............... ..H............text...@b... ...d.................. ..`.rsrc...@............f..............@..@.reloc...............l..............@..B........................H........(...!...........I...6..........................................F.~....(....t....*6.~.....(....*..u....%{......(....u....o....o....*F.~....(.....*...*J.~......*...(....*..u....{......(.....*...-..+..o....*F.~....(.........*J.~..........(....*v.u....{......(.........o....*..(.....(.....{.....(....o.....(....*....0...........(....o......E........(...5...........B...O...*.{.....o....*.{.....o....*.{.....o....*.{.....o....*.{.....o....*.{.....o....*.{.....o....*...0......

            C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Interface.v2.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):261120
            Entropy (8bit):5.953796345494796
            Encrypted:false
            SSDEEP:6144:AwL64C+x72F4szTT9em06nOMWHyonpgxAsnSgj:dZMpe1MW+Ah
            MD5:3AF55368A6BD8C21F611E462D7A2F112
            SHA1:32F65AF2613A19E08EEF4816DE2681A5C3EE1D18
            SHA-256:5CDCC0FDD01731EC4943E6666258A9A04F56EE41F752578BBE9DCC011EA33BCC
            SHA-512:2E7D253140C640B320D75BAD7E4CEB9E21B6CDB3D65C80C976CC20259EC00BD75A5AF21A3600DE66DB167AA346F0F0312463AD7C6E1F506680FF49FB1294ED76
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..`.........." ..0.................. ... ....... .......................`............`.................................8...O.... ..L....................@....................................................... ............... ..H............text...p.... ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B................l.......H.......X....<..........H................................................0..............+d.......{....#.-DT.!..7........{....#.-DT.!.?12.......{....#.!3.|..@7........{....#^8U)zj.@1...+...X....i2..,..*....+d.......{....#........7........{....#.-DT.!.@12.......{....#.-DT.!..7........{....#.-DT.!..1...+...X....i2..,..*....+d.......{....#.-DT.!.?7........{....#.!3.|..@12.......{....#.!3.|...7........{....#.-DT.!..1...+...X....i2..,..*.....+j........{....#.-DT.!.@7.........{....#

            C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Layers.v2.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):102912
            Entropy (8bit):5.905114355881845
            Encrypted:false
            SSDEEP:1536:RqcAPfMgyvTv90rjE/UcfGkteyYzrfmz7csoP8TCN0UQ2T5NcL/sj7amhTg0rynB:Rqc8fMfJYkvteyc+z7cVj7auya0
            MD5:62E60D18C4D946CD2395A8D834C9CAC8
            SHA1:8B8E53A68C375ABE03CA32738D9EF5C30E4E1BA1
            SHA-256:1358BF9D712D6CA4085F0AE63AA0D5709D7896D37E48FE4E6B77522CA43E342B
            SHA-512:CF4596BA3881B10BE2CB11B09B6710DC66510B2489BB9FC6A5EB8E2239548768DC86FDE381E9F215FDACC69BC95464C1F21D78C26606E6F8BAEFACF76BB06C79
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.........." ..0.................. ........... ....................................`.....................................O.......@...........................t................................................ ............... ..H............text........ ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B.......................H.......\................G...\..........................................>. 4......(....*2......o....*:........o....*.0..,........o....r...p $...........%...%....o....t....*&...o....*..(....*..{....*"..}....*..{....*F.{.........}....*..{....*....0..k........{......a.r!..po"....{....,..{...........s....o......}.....{....,..{...........s....o.....o.....r!..po#...*..o....*..{....*"..}....*..{....*"..}....*..*..{....*..{.....( ...,#.r1..po".....}.....o.....r1..po#...*..{....*..{..

            C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Other.v2.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):42496
            Entropy (8bit):5.779524115530067
            Encrypted:false
            SSDEEP:768:ZJNWfyt5YRiijWlY20aPnN3inLMzRiCmFZ2MfQBkty/:Z/Wq5YRiij6P0aPnN3inIzRlmFZ2sdy/
            MD5:C1FB659575A43F9426D8FC7BF876057A
            SHA1:BFA80C4FF7713A481D9278F4844125CC200476FB
            SHA-256:098EF0F08DD0B423800AB049242ECAD547457B78BA4CD468857D288A953F7C27
            SHA-512:870DE4E7AEEE7AC4BD0EAD3B49A815E9319AA36EAE786E9DC9643D2DDDB03A8D1A2C414F6DB9081713AA7A90D75A523F6AE7A6CE97F06840B4C22C3263757DF3
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.........." ..0.................. ........... ....................................`....................................O.......4............................................................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B........................H.......tY..x?.........................................................F.~....(....tK...*6.~.....(....*F.~....(..... ...*J.~...... ...(....*....0.._.......st......}M....#......I@s....}L....(....-..(.......u...s....o....+...~....(.....!...}L....{L...*..0..K.......sv......}N.....}O....(....-..(.......w...s....o....*.~.....{O....!...(....*..0.._.......sx......}Q....#.......@s....}P....(....-..(.......y...s....o....+...~....(.....!...}P....{P...*..0..K.......sz......}R.....}S...

            C:\Program Files\Rigaku\SureDI\Rigaku.Chart.Utils.v2.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):520704
            Entropy (8bit):6.30740156829181
            Encrypted:false
            SSDEEP:12288:UjW+rsv0b+fIJjPa3/9uGhVLFI5sWBMNFIEj:oW+z+QJPO/9BVRIwIE
            MD5:348C8955CC8BF111251736F833265B3A
            SHA1:9D568674D232080A35D24E320949D1961DEC1028
            SHA-256:0B9DC2252BE89D80B8C57296A4D2468BAB926C7325771944B13676DE3B79B497
            SHA-512:D5D9B93BD4ED27E8A7DB539D8D93BBD28C2C9CB2320A1202F7754BB55139BFFCCDD8B40422A5D880BCB53E339F2F16767045829B83DDA7E1CE4A5310C9EA646E
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..`.........." ..0.............".... ... ....... .......................`............`.....................................O.... ..4....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...4.... ......................@..@.reloc.......@......................@..B........................H........q...?..............S..........................................>. 4......($...*2......o%...*:........o&...*.0..,........o'...r...p $...........%...%....o(...t....*&...o)...*..(*...*...0..^........(.....s+...(.....(.....o,....(....(-...s....o/....(....#.......?o0....{I...o1....(....o2...&*...0..)........{.........(3...t......|......(...+...3.*....0..)........{.........(5...t......|......(...+...3.*....0..)........{.........(3...t......|......(...+...3.*....0..).......

            C:\Program Files\Rigaku\SureDI\Rigaku.Chart.v2.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1358336
            Entropy (8bit):5.719305376873105
            Encrypted:false
            SSDEEP:12288:A5tzM8jszUUqP3sUkL1OhTjCAq/GvUcj5bSACF1YgsFIH8:QzM8jsAUI8Uk+Zq/UUcj5bLCFGfI
            MD5:669764FF6897769DD27872AD01A55B57
            SHA1:65C48F2BBCAA90DBC196BD8E72762DC900568732
            SHA-256:C90624FDD6BAF539C4A42AA7514A593C807592777445559B97270CC817F8E870
            SHA-512:8C770AD6AC537E3FF402F000F388D72A977881D67278C0A8C36BDCE9937A0CE88916FD0B282F0501AA2603CB84B148B4D07B73F892A97AFF7A5970E9002DC274
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.........." ..0.................. ........... ....................... ............`.................................h...O...................................0................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......(...8_..........`m................................................{4...*..{5...*V.(6.....}4.....}5...*...0..;........u......,/(7....{4....{4...o8...,.(9....{5....{5...o:...*.*. :.'# )UU.Z(7....{4...o;...X )UU.Z(9....{5...o<...X*.0..b........r...p......%..{4......%q.........-.&.+.......o=....%..{5......%q.........-.&.+.......o=....(>...*...0...........o?........e...o=.....(@...-w.{.....oA....oB...oC....{.....{.....oD....{.......e3B.{.......x36.{.......p3*.{.......o3..{

            C:\Program Files\Rigaku\SureDI\Rigaku.CustomDataDialog.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):493056
            Entropy (8bit):5.893413153340838
            Encrypted:false
            SSDEEP:6144:BVwG3kcViQOhBRCo+mrt8Hair2nAWcs6IOz1fRkso9Lg8q2RUnZITgdVtjinNsAb:BVwG0wcCHa+Gl3kPG3AWWLc
            MD5:FC89905ED8457165540DA108DAA2B43A
            SHA1:1189992E2FD0A96586D08496FF4C6F6486F22F81
            SHA-256:C362F5C449EA9C710BAE8615A38DAFB5AA13148203694FCB3103DF13B2A29054
            SHA-512:9C00BEA14A8A82199A2B3DA40DB882AB93F2E8362E224B2F671CDE47B2F50A4B4A9EBF72A556816C6817D6DAC3C470F60630F295C0AD57E476A7BCCD2A339FC6
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0..~............... ........... ....................................`...@......@............... ..................................X............................................................................................ ..H............text...`}... ...~.................. ..`.rsrc...X...........................@..@........................................H.......x................&..Hw..........................................>. 4......(0...*2......o1...*:........o2...*.0..,........o3...r...p $...........%...%....o4...t....*&...o5...*..(6...*n..1.. ...._ ....` ....`...*".......*..(....**.(.......**.(.......**..(......*.(7...o8....3.(7...o9...o:.........*.*N(....-.(....s;...z*Z(7...o9...o:.........*N(....-.(....s;...z*.(7...o8....3.(7...o9.....s<...o=.........*.*N(....-.(....s;...z*...0...........(>...,.~?...*.r!..pr9..po@............%

            C:\Program Files\Rigaku\SureDI\Rigaku.DBKeeperLogic.v4.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):251904
            Entropy (8bit):5.428600741734646
            Encrypted:false
            SSDEEP:6144:mWFtkQWtDh6EieTY1jR56l68iwTY1jR7rRg:mnQs
            MD5:5D721F1A4A0A6755CBB28AFA3AD2742E
            SHA1:E4B4D82B225BA0AC0B131247DFCFCDE7A53F1223
            SHA-256:A7FCEE0B7C1DD2DA5B88E949D5A60DFF52C92D762C91225B025ECF7F05A011D1
            SHA-512:70F85DE7CED35AD4E34A98E2B302687D9E2F2978DCA5E6FF9EE5BEB2FE1364039531C209352AD6FA1EE8A8F603A108D6C797C55C3E2C743149C32FFF8323FC36
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e.........." ..0.................. ........... .......................@............`.................................x...O............................ ......@................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......0)..x#...........L................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o ...*.*.*. k.s )UU.Z(.....{....o!...X )UU.Z(.....{....o"...X*...0..b........r...p......%..{.......%q.........-.&.+.......o#....%..{.......%q.........-.&.+.......o#....($...*J.#(%...r/..p(&...*B(....r=..p(&...*..{....*..{....*..{....*...0..R........(....}.....(....rI..p(&...}.....(....ro..p(&...}...

            C:\Program Files\Rigaku\SureDI\Rigaku.DBMaintenance.exe

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):7680
            Entropy (8bit):4.553581403797048
            Encrypted:false
            SSDEEP:96:AEsv0GsY70z4fdrs629Z380XoEbC1UHtWuYVOBG/dyzNt:RsM+7/fW9ZM0XoICArYVOUa
            MD5:194A5EE5060644A1C5096AA921C7E855
            SHA1:4255EE28C28CB701D7F25C653CB0D2D1957F4B2D
            SHA-256:D5F2096CB76B60EB6F8755EBD907720816C0161DC603EEBB598EE89FD8D333C7
            SHA-512:738F7A94638D65BDAA086A11E702ACE38085A2FD90CADFB6051803D9D7198BF7238A250CD33F1C1E5659DC308C931E33FD32EF4700446A2FC4C0F663902CD7EB
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s."c.........."...0.............z1... ...@....@.. ....................................`.................................(1..O....@..L....................`......./............................................... ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B................\1......H........"..4............................................................0..k.........9S...s.....s.......}............s....(...+~....%-.&~..........s....%.....~....%-.&~..........s....%.....(...+....r...p.o....(....(.....(......~......r...po....,..r...po......(....:....r#..ps......~........,.r...p..o....(....(.....(....+I...(........r5..p(......~......~..................o ...r]..p.(....(.....2. ..r...p..o....(....(.....(......r...p(.....(....*.........Xr...........:. .....0..

            C:\Program Files\Rigaku\SureDI\Rigaku.DBUPR.DI.v1.0.exe

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):364032
            Entropy (8bit):5.997520956003227
            Encrypted:false
            SSDEEP:6144:onwFIuNDgXcjLJa0eoTmaX9rS2CQVSy8hRSHZkKBWp5:1FIfXcha0nTmqDuZhP
            MD5:B784F7688EDC64FC5854D17AD4BEEA13
            SHA1:56AD031B93D432CB08EA6FFD3DC7DDC28F3F549F
            SHA-256:BF8FDB824FEE49B49EF261B51E79B909FEAF5C19575E2149B0BF63457EE18574
            SHA-512:48DB0200E4BC271E0EF6943C9A1422BD255595104C07F5DEBA74AB1F1B8331D0FDDE71B9514AE96C49BF0455C1D9782FFF934430C1C71D5DC339A0E78674099F
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(............."...0.............j.... ........@.. ....................................`.....................................O.......4.................... ......,...8............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B.wibu........@...................... ..`................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\Rigaku.DSCViewerControlLib.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):457728
            Entropy (8bit):6.0834191335883565
            Encrypted:false
            SSDEEP:6144:mRkNhkvir2RTDRyuYWq36FuzO47KAkqRVhx8qSSEJGpPbV:mkNhA40uK47FvyJGB
            MD5:78D2C54995E19B803EE91F94BD51209A
            SHA1:110AF14D0871B3109D0E0B81DD898731ACFA0F55
            SHA-256:C505B4EBF50961D1A7DF96C4F2FED1E7B1627EE7FF9187C6E5A5176CB4885FD2
            SHA-512:D11D7E8B71B68871C2DE6E5CC8EA386E5B3429BC2031CF3252280D4527A80D129ED9EC6F197BF15ACBF62DE94062B979DFFB3F58B59AC092089C7C0FD0EE8F85
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0.................. ........... .......................@............`...@......@............... ............................... ..d...........................0................................................................ ..H............text...h.... ...................... ..`.rsrc...d.... ......................@..@........................................H.......D................ ..P.............................................s....}.....(.....(......(.....r...p.s....(....o....s....}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*b.{.....3.*..}.....(....*..{....*"..}....*..{....*"..}....*..*..(....*6s....%.o....*...{....s....}......o....(......o....(......o....(....*..(....,..(....*.{....o....o ...*..0...........{....o....o ....9.........{....o!....o"....8H.....(#.....(....95....9/....o3...9$....o3...o$.....8......(%.

            C:\Program Files\Rigaku\SureDI\Rigaku.DataBrowserDialog.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):492032
            Entropy (8bit):6.544234422725639
            Encrypted:false
            SSDEEP:12288:otD9rfa6QSgGC0+QRhLvlBpmGUMsawdZdZL1bz5OWokTVXImiEIm7zvl7wUOagQb:otD9rfa6QSgGC0+QRhLvlBpmGUMsawdz
            MD5:6289213717C94E34CA11E5303D0746B0
            SHA1:D12F485CAA43B1E19B3657DFC9B1D0020B9287A1
            SHA-256:592F7453A57AACE511B18AE68D3E454B1E7C6C795B3C42449E07D588F3FD8AB1
            SHA-512:C49C0FE8B3BA00187069E3C0ED7517E0BF79A247FEF91854E613E9E74B3E8E7698D2F62D130076E71C7C35C67D59D1F3ACCFBC79BD5C228FBC78A10F5A05E508
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0..z............... ........... ....................................`...@......@............... ..................................4............................................................................................ ..H............text....x... ...z.................. ..`.rsrc...4............|..............@..@........................................H...........{...............y..........................................>. 4......(....*2......o....*:........o....*.0..,........o....r...p $...........%...%....o....t....*&...o....*..(....*..{....*"..}....*:.(......(....*.s_...%.os...s....%(....o ...o!...o"...&*..*.~#...*....0..........s_...%.oe...%.ou...%.og...%.oa...%.oy...%.ow...%..o{...%.oo...s......(....o ...o!....o"...&.o....,..o....(...+,..o.....o%...*~&...*..0..k.......s_...%.oe...%.og...%.oi...%.os...%.oa...%.oy...%.ow...%.

            C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.DBBrowser.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):345600
            Entropy (8bit):6.5661541409598625
            Encrypted:false
            SSDEEP:6144:GjdOZYkVne7c3iZC4xeVQlDFIqM7tX6A:AdOZDWIQlDFIV5
            MD5:D4079C35C778FCBFE0988C126946D2B8
            SHA1:D28A090C3FA4BB3F176858EBDD7F946D30FABCF8
            SHA-256:95D22A12BFFB8C846D3FA4B55130E301A16634D11903691FA707553A032F6AEC
            SHA-512:C6A047ACB3D3EA7F5DE6A06E31A5D32171459DB2C4BE72449973531086DBE7CA93737D129879C20A6BCA6C09ED202C6FCE1A14F41D21A626A83F026F963184E5
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.[..........." ..0..<...........[... ...`....... ....................................`..................................Z..O....`..\............................Y..8............................................ ............... ..H............text....;... ...<.................. ..`.rsrc...\....`.......>..............@..@.reloc...............D..............@..B.................Z......H...........................P{..........................................>. 4......(....*2......o....*:........o....*.0..,........o....r...p $...........%...%....o....t....*&...o....*..( ...*..{....*"..}....*..(!.....(......}......}......}.......}.......}....*..0..@.......s....%.o.....{.....{.....{.....{....s....%("...o#...o$...o%...&*.0............,...(...+-..*s'...&s(.......o)...o*.....(.......o+.....8......(,.......o-.........%..|.o............%..;.o............+=s.........

            C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Interface.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):92672
            Entropy (8bit):5.867335711537043
            Encrypted:false
            SSDEEP:1536:iAJCGZ43eadUhzxMUCoxgAOSUc/odyO1vnjQJNpzqXKP:tCGZT0mzTgAOfc/odyO1bQJnz
            MD5:9F7E7EBB3E585FB9A22042C592F15EBD
            SHA1:4AA34644DF582C07224DFD5F900E6E690178641F
            SHA-256:A93DAF00B15A4F60FB5624DE6216FD3B4E72D8BB4C97EF55DD3114D23EA3BC5C
            SHA-512:DCA8EB0E70A0D44B336985831C9F3CA4284E83EDB6BF3DCECEB48ABAB9083DBF273A6332726EEB2DA123C4A00DB638A44AE5A4B37DBB87C350DC69BD330647A9
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Wht..........." ..0..`...........~... ........... ....................................`..................................~..O.......D............................}..8............................................ ............... ..H............text....^... ...`.................. ..`.rsrc...D............b..............@..@.reloc...............h..............@..B.................~......H.......xN..0/...........................................................0..b.........}......}......}.......} ....s!...}"....{"......#...s$...o%....{"......&...s'...o(....{"...o)...*...0...........{....,G...o*...,..o*....{ ...s+....+..o,.........{ ...s-.....{.....{.....o.....{"......&...s'...o/....{"......#...s$...o0....{"...o1.....}".....}......}....*^..{....o2........o3...*..(4...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*J.~5...}.....(4...*Z..s6..

            C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logging.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):6656
            Entropy (8bit):4.348141742685137
            Encrypted:false
            SSDEEP:192:Xt0VWbXlqYNLvuL6dRy33VHD7GHyFOEju:rbBRvjdRw3VHDIuOH
            MD5:65F054A44FBAE1916A037CD22091F082
            SHA1:9A46CF23A9694759B376081C4E723297D1DB5AB3
            SHA-256:F1FA17ACBE70E26294DAB74D92A8CE4B256CD38AEE03EE66217D3CB3B16364AD
            SHA-512:7DBEF46A22383688424A23419CEBCA94ABDB7F55DD13E3C8B3F37A12A57323CA213A5AB6857296CAB8059C2C24999127A2E2E147CAF4DDAB22D513BD1025A6D0
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9............" ..0............../... ...@....... ....................................`................................../..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H........!..8............-..............................................^~....-.s.........~....*.0..N.......s....%.o....%(....o....%(.....o....(....o....%s....%r...po....o....(......&..*..........JJ.......0..?.......s....%.o....%(....o....%.o....%s....%r...po....o....(......&..*.........;;........(....*..(....*.~....-.r...p.....(....o ...s!........~....*.~....*.......*V(....rY..p~....o"...*...BSJB............v4.0.30319......l.......#~..p...H...#Strings........p...#US.(.......

            C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Logic.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):36352
            Entropy (8bit):5.654762800483187
            Encrypted:false
            SSDEEP:768:thlDtQoRzCzTi0BHE9q0jSPvTDXSoGx+kHK9j/yB:r/DRzCzT96OfilxVHK9j/yB
            MD5:ACDB666D92501862915794D2314DE677
            SHA1:98135555B3AF2DBF486FA9873DD9DD3C0337B6F5
            SHA-256:2359A58BDC46FD067D2F05DFB9D80969053326B863DEF38DECD737548E948763
            SHA-512:F63BC30F3A568ED027DA4FE21F64EB03F6E49FECF22894E9E6035DABA69F0EBF1D6F908DAA0B2C45A8655E601C454E83FBB2CD00C0933A39161AB0B0EAB6C0CB
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\............." ..0.................. ........... ....................................`.................................>...O...................................t...8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................r.......H........>...c..........................................................f.(.....~....(x.....(z...*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*.(....*.(....*.(....*.(....*.(....*.(....*.(....*..(....*..(....*....0..-.......s........(0......T..Q%,..,....o....T..o....Q*....0..g...

            C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):190976
            Entropy (8bit):6.822087789000702
            Encrypted:false
            SSDEEP:3072:gektbNGRI914c+Ecu9MtbuN7kQmB91qoiqRUR23Qj4rMRSK1I914q+NR:CtbSI9qXuOm7o3RURurMRSK1I9q
            MD5:1A56D8CD4728BBA1C2B8CE8BE0DF4F82
            SHA1:ECF78E432FBF89CB5B7581A63960B549A19B496C
            SHA-256:DAB0B940956DFB986BF25BC655110F61F449792D59241B0AC327B79513BD7EB6
            SHA-512:57E1C200743174ADDEAC831DD8CC32E2374ACA0A28C782345481658D6CFC4BFDC52A1254EFACAD719FE72CBEF96C2372547090ACBA2081CED6CC385FB60483B3
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....G............"...0..\............... .....@..... ....................... ............`...@......@............... ..................................L............................z..8............................................................ ..H............text...[[... ...\.................. ..`.rsrc...L............^..............@..@........................................H....... -...1..........._..p.............................................~....~.....o....}.....{....,...(....*~....o....(....o....*...(.....{....,.~....o....~....o....*....0............(.....s....(.....(...........s....o ....(....o!....(....o".....(....u....}.......o#....,..o#.......($...&.{....o.....o!....{....o....o'....s%...}.....{....(3...o&....{....(6...o'....{...........s(...o)....{.....o*...s+...%#.....@.@o,...%.......s-...o.....o/....(....*....0...........{....s0...o1....{..

            C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe.config

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (711), with CRLF line terminators
            Category:dropped
            Size (bytes):2448
            Entropy (8bit):5.0661056258530275
            Encrypted:false
            SSDEEP:48:3R2zyqG+q2PrqOfxCuRqVwDq2vqTwzq2b3QqbRq27mKqo8uhBco:tn+5rqOwuRBd113Q4FmKqxuUo
            MD5:E8208CD2CBF2C2604E27EB724A75C02C
            SHA1:10BFE2DEAB1EB6AD08C04F0FC3932AE1AEC2027E
            SHA-256:71ED83F794713433C3F76B2DBEB8A45B3ABF3AF10BB1FAFA89380B283F1D6A12
            SHA-512:4E85247A37317BE0D6012BA359E9180A20502726C6EB0D36EC3DF477C5BA8E4FD76369BE68E426B1927158D936C6EFABCD6D1A2A52B7F22E76C7CA46B8EC1880
            Malicious:false
            Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <configSections>.. <section name="loggingConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.LoggingSettings, Microsoft.Practices.EnterpriseLibrary.Logging, Version=5.0.414.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="true"/>.. </configSections>.... <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. .. <appSettings>.. </appSettings>.... <runtime>.. </runtime>.... <loggingConfiguration name="" tracingEnabled="true" defaultCategory="General">.. <listeners>.. <add name="Rolling Flat File Trace Listener" type="Microsoft.Practices.EnterpriseLibrary.Logging.TraceListeners.RollingFlatFileTraceListener, Microsoft.Practices.EnterpriseLibrary.Logging, Version=5.0.414.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" listenerDataType="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.Rolling

            C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):25088
            Entropy (8bit):5.55503008857443
            Encrypted:false
            SSDEEP:768:VuTSb2J0TSc7EmLAbYTH122gQWPUVDUflQ23v3nYb:Vmq2C9LAbYH1LZgmD2lQS3nYb
            MD5:82F5C155503E5188DAA96564F9261CD0
            SHA1:C2C5A5D8840A57BABA4C88E1A691847C1F9F0C7A
            SHA-256:A14E073C50EC8A354EF947842CA01B59BA43AD6960A7CEEDFB1CB72C7C4342AB
            SHA-512:47D2255187C41AA41D6F5CAC2C59BB50A7A180592E8D8E13A746BF1DEFB34B42DEE842B7DD5541153BD6CA941F89073272A6A1A631B5C42ECC9D774BEBA19C32
            Malicious:true
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....l..........."...0..X............... .....@..... ....................................`...@......@............... ..................................|...........................lv..8............................................................ ..H............text...QW... ...X.................. ..`.rsrc...|............Z..............@..@........................................H.......(9...6...........o..............................................R.(.....(......(....*...}....(....(@...o.....(.....(....*....0..%.......(....(A...o.........(....(.....(....*....0..%.......(....(?...o.........(....(.....(....*....0.............(....}......(.........(.........(.....3!(....(B....|....(....(....o....+=..(.........(.........(.....3.(....(C....|....(....(....o......(.....3..(....*...0..C.........(..... ....3..(....*. ....3..(....*. ....3..(....*. ....3..(....*..0..

            C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe.config

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (707), with CRLF line terminators
            Category:dropped
            Size (bytes):2435
            Entropy (8bit):5.0709328113269505
            Encrypted:false
            SSDEEP:48:3R2zyqG+q2VrpfxCuRqVwDq2vqTwzq25QqbRq27mKqo8uhBco:tn+DrpwuRBd1LQ4FmKqxuUo
            MD5:A7AE8CB72BEF08222FCE2AF5DDEA936B
            SHA1:9CF8524900322DE690E2B5AF1B485D53CE3D43A8
            SHA-256:FC54909219E260EFED892B1F873414A219C15E85A8C142309D427B8248DE4AF2
            SHA-512:077ADB1074718FFA6C9FCD74A8BB50BD338474D8A9B7E4A6D44531EAB421C716FA6FFF9EC15AF3CC1D65277E19EF83D0EB0D1F0B2706162F5DB5A9537682D60C
            Malicious:true
            Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <configSections>.. <section name="loggingConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.LoggingSettings, Microsoft.Practices.EnterpriseLibrary.Logging, Version=5.0.414.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="true"/>.. </configSections>.... <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.... <appSettings>.. </appSettings>.... <runtime>.. </runtime>.... <loggingConfiguration name="" tracingEnabled="true" defaultCategory="General">.. <listeners>.. <add name="Rolling Flat File Trace Listener" type="Microsoft.Practices.EnterpriseLibrary.Logging.TraceListeners.RollingFlatFileTraceListener, Microsoft.Practices.EnterpriseLibrary.Logging, Version=5.0.414.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" listenerDataType="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.RollingFlatFileT

            C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Signature.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):9216
            Entropy (8bit):4.921621320446962
            Encrypted:false
            SSDEEP:192:qQgWDIvWsJhxH9EJfr2/8rXNNf/5RuQHWP4Wzr/B3FR+lKe:aWDmyJfa6n5R24SjB1OKe
            MD5:DA2B41FBA7D9FAF9658DD0CC2C289F31
            SHA1:CED7EA9BBE7D35A48C970253C5085508A88984AE
            SHA-256:2B948706D3FBCE7B6AD221F7834FB83A5F34EBAA9F7D1F266106E2B7BEA29831
            SHA-512:283BC52F1F81934BD8EF4CAC38EBF2210EBA937B38BFD69C204C6A8B88C5E950836EC19B85932BC1F2EC7BFE588D545E4B24F93970C649B4ADF87156E21810B1
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O(0..........." ..0..............9... ...@....... ....................................`.................................s9..O....@..D....................`.......8..8............................................ ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......."..............@..B.................9......H........#...............7..............................................^.(.....(....o...+}....*.0..s.........&...%.(.......r...p(....(.....%.r)..p.%....%.r1..p.%....%.r5..p.(......s.......s.........o......o......r9..p".. As...........o....&..#XR..x<.@Z....#XR..x<.@Z..#XR..x<.@Z....#XR..x<.@Z....k...l..#.......@XZXk..............( .......(!.......k(".......k(#.......s$...%.o%..........(&...s'.......o(.....rM..p()...,...o*...o+....o,.........o-...+}..rY..p()...,1..o*...o+.....

            C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.UICommon.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):60416
            Entropy (8bit):5.798217789824643
            Encrypted:false
            SSDEEP:768:RwKOKy2uP9nHPJTYSX/oL9TkQbcm32Czj+Siu3FOhyFsPFFH+Mky3Ql:O8wJTYSXQLXb1mabiSFOhyFGLnol
            MD5:795D270C334B89AC4256F2607EFDA056
            SHA1:616BE78418638F4E5D0266DB03133A946E095837
            SHA-256:A11D33987324ECDC372549A798181903B9CDA5153661DFBF800B7138152C2738
            SHA-512:B090D5E51990AEBA4B85FD63CA2620FC91BE4CC52247CC7FC6C12321F67D24CC379D1C83EECB4EDB810D3C55DA088C3FC0E09F2B958A8B847A8D035EE9FEDA75
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K,*..........." ..0.............r.... ... ....... .......................`............`.....................................O.... ..<....................@......H...8............................................ ............... ..H............text...x.... ...................... ..`.rsrc...<.... ......................@..@.reloc.......@......................@..B................Q.......H........H...f...............P..........................................>. 4......(....*2......o....*:........o....*.0..,........o....r...p $...........%...%....o....t....*&...o....*..(....*...0..)........{.........( ...t .....|......(...+...3.*....0..)........{.........("...t .....|......(...+...3.*F.~....(#...t....*6.~.....($...*....0..F........(%....(......(&....s'...(.....o(....+P..()....s$...%.o*...o+...%.o,...o-...%.o....o/......(......o0....(....-....(......(1...-.....

            C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):428544
            Entropy (8bit):6.006090660156487
            Encrypted:false
            SSDEEP:6144:RmsYGWzoVXwCG7ZPUgHmvQXDAl6O97GzpOBHmvc/odyO1FimPei:RmsYdYGDHmvQXDAF9KzpOBHm4
            MD5:9ED537A728DC2E25E21C693172AF3189
            SHA1:843EAB8CB9D8D1A8AD1AC73CCC603FE71E978942
            SHA-256:A2A6A77D08066CE4F126A1F33EA03CDC4880CDDBEA041977C375458CF7AD7964
            SHA-512:9F8889B48682CE671CB679DFC71B2CD9ADABFFA27E7F655955377CAA38C5197808E89507878F729BED014DD8E447CE333EA76CDCF9C78EF7AC8EBC52CD043AEF
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0................. ........... ....................................`.................................w...O.......................................8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........#..h]..........,.................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/( ....{.....{....o!...,.("....{.....{....o#...*.*.*. )..9 )UU.Z( ....{....o$...X )UU.Z("....{....o%...X*...0..b........r...p......%..{.......%q.........-.&.+.......o&....%..{.......%q.........-.&.+.......o&....('...*..{(...*..{)...*..{*...*..{+...*..{,...*..(......}(.....}).....}*......}+......},...*..0...........u........|.,w( ....{(....{(

            C:\Program Files\Rigaku\SureDI\Rigaku.ImageViewerControlLib.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):372224
            Entropy (8bit):6.101074730396687
            Encrypted:false
            SSDEEP:6144:8xMPlXWfHj8LXETe5QL6tseSlS8hvNVZrhFgIA1hbpMjy5MxybV1z1Jl9l24YNFK:6M5dlYNFOcuLRwumlDRPMLlRRRL
            MD5:B93A4FC138B43A049D5CACC42DC39E5A
            SHA1:98E5756289DB36929A4BD56049746675610F426F
            SHA-256:8F9B87F8E92C4AE4DE190D71E0C8124ADBB7225242DBE07EE192A3E7F21DA331
            SHA-512:2634C2FA6D2E7577D8B6412C6C8B4882982C2814DE77E0F6BF9D207523D56570D7D92C2DA37A6749EB677E891069DF3745B93A3E640F32FE5CF05E8B73CA6D49
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0.................. ........... ....................................`...@......@............... ..................................p............................................................................................ ..H............text...t.... ...................... ..`.rsrc...p...........................@..@........................................H........l...=..........................................................>. 4......(....*2......o....*:........o....*.0..,........o....r...p $...........%...%....o ...t....*&...o!...*..("...*..{....*"..}....*..{....*"..}....*..(#...*.~....*.......*J(....~.....X.....*^~.....Y.....(....(....*...0..f........(......-.r!..ps$...z.(......~%...(&...,.r...ps$...z~.....o'......((....o'......().........s*...(....*b(....,.(....o+....(....*..0...........s,...%o-....o+....*.0..+........o'......(..

            C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.IO.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):619520
            Entropy (8bit):6.305306491825975
            Encrypted:false
            SSDEEP:12288:IyJRZcs6VEG9KWvbaj95U68HRH1QhxeI+UraU60jEDr25AzfT:IyJTGr7vbaj95X8jQhxeI+UraU60jEDX
            MD5:ECB013FA5250FC3AB8D05E6C5FCF9DAC
            SHA1:1E70DCA86F4C6AF9517B3D675B1C548A802BC6A7
            SHA-256:649A303211BD96EF7C8EDFFAA5D3EB8546A74112892E41F16487D7BEA06D0C29
            SHA-512:179B028FC4D3F83D7B8E310884201F2B919C8DB0E429845432D258EE13EE08D5E4F388C1CF25E9A5A0599A137ED88E9EF224B4C338FD0B2F271DB0E74A27F635
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W...6...6...6...NI..6..P...6..G\...6...dI..6...6..O6..m....6..G\...6..G\...6..G\...6..p]...6..p]...6..p]%..6...6M..6..p]...6..Rich.6..........PE..d....`.........." .....>...:............................................................`..................................................................`..$0..............l....n..T........................... ................`..H............g..H............text....*.......,.................. ..`.nep.........@.......0.............. ..`.rdata..F....`.......B..............@..@.data... -...0...&..................@....pdata..$0...`...2...6..............@..@.rsrc................h..............@..@.reloc..l............p..............@..B........................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.ImageLib.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):3811328
            Entropy (8bit):6.544891126711661
            Encrypted:false
            SSDEEP:49152:URKZE2hSLRywrqhmTTAXQ7YklLnIBdSSIs+IsDa2777g019f7JGLKS2DuRGQIqK9:emdS7xr77gcA4
            MD5:CA2C9039E67B7F32BAA7CA5E41AD70F5
            SHA1:44C57134F4FCF5ABA2FF24A27209DB70F1614530
            SHA-256:A53A735684976FE870DBB1FD0435BFB1C0F68E75A0D733C7CC12F405A7CE62B5
            SHA-512:CEF0D0A9D361DDED204417E53FAB82260C71CC46C3FCDC99D88748A30BFC40C8C82B05818ED79B52AB5431DEF0B637272055D909C9694627A0DC98720D7F01BC
            Malicious:false
            Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......@ . .A.s.A.s.A.s.9!s.A.s...s.A.s.+.r.A.s..!s.A.s..us.A.s.+.r#A.s.+.r.A.s.+.r.A.s...r.A.s.*.r0A.s.A.s]@.sa'.r.A.s.*.r.A.s.*.rMA.s.*Ms.A.s.A%s.A.s.*.r.A.sRich.A.s........................PE..d....`.........." ......'...........%.......................................;...........`..................................................p6.|.....:......08.X.............:..2....,.T...................h.1.(.....,...............'.X...........$8+.H............text...4R'......T'................. ..`.nep.....0...p'..2...X'............. ..`.rdata........'.......'.............@..@.data...X{....6.......6.............@....pdata..X....08......n7.............@..@_RDATA........9......(9.............@..@.rsrc.........:.......9.............@..@.reloc...2....:..4....9.............@..B........................................................................................................

            C:\Program Files\Rigaku\SureDI\Rigaku.Infrastructure.RasxLib.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):92160
            Entropy (8bit):5.753901320700279
            Encrypted:false
            SSDEEP:1536:eUY7scYO2t1VwyCQAdopG+akQZjk7lNs8d2bhSvtRzpD7H0YfQZgdmroFKDA8w6K:eUY7scYO2t1VwBNdopG+/QZjk7lNs8dx
            MD5:630494E1E5B2D44D7B48983FE45405AB
            SHA1:CA24713C221F2FD10D8F9A2F0AA085379D70174D
            SHA-256:330CD1877592F31FA09B3FFA0CDF30E71492E4779632188E6CF4DBA4C681E958
            SHA-512:E24240EE831070ED89C60C74FE132C961BD57F2C70DA295058348F2908A838F12E9341B160BFCB02063A70A6993C318DE3045EEB490D77BA602D5224ABF14E2B
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......`.........." ..0..`............... ........... ....................................`...@......@............... ..................................|............................}............................................................... ..H............text...8^... ...`.................. ..`.rsrc...|............b..............@..@........................................H.......|...............................................................Zs....%~....}....s....*..0..A........-..*.-..*.-..*.s....%.o....%.o....%.(....&.o......o....(.......*...........#3.......0..A........-..*.-..*.-..*.s....%.o....%.o....%.(....&.o......o....(.......*...........#3......2.(....(....*....0..+........-..*.-..*s.......t....s....o.......(.....*..0..+........-..*.-..*s.......s ...o......o!....(.....*..0..g........-.*.-.*.s"......o#...s$.....r...po%...s&......o'.....o(....

            C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.Communication.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):272896
            Entropy (8bit):5.961783039653154
            Encrypted:false
            SSDEEP:6144:8xFwVbaIrgPoWoK1P5MAu/K6Znm7F1fi8:coWoWGAu/UFz
            MD5:D5521F77F3EF2D254A4AFF7C8470D577
            SHA1:7E8453A738AA9D09A15413EFA80987C508485441
            SHA-256:0655AC28C71302F4CE284D7BB1BA79C25476B59CB60A4482A253B59706ECE5C0
            SHA-512:DD54D7AD64222138B4CE508A03FD400D1E2284ECDF9C48C098B3F659F1C32268B920D8B68982C38457F8A5AE051318697B2EA9389907CEBCDDF6C3A8984AAED7
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...t..`.........." ..0.."............... ........... ....................................`...@......@............... ...............................`..............................`@............................................................... ..H............text....!... ...".................. ..`.rsrc........`.......$..............@..@........................................H...........Hh.........................................................."..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*....0...........(".....}......}......{....o#...~$...o%...(......}......(......(......{...........s&...('...t....}......{...........s2...('...t*...}.....s(...(......}.....s)...}....*2.{....o*...*2.{....o+...*..{....*.0..C........{.....3.*..}....(U.....o....,..or......F...s,...o-...*.r...p(2...*..0...........t+.....{....o......o7..

            C:\Program Files\Rigaku\SureDI\Rigaku.InstrumentFramework.DataStruct.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):425984
            Entropy (8bit):5.704741849682933
            Encrypted:false
            SSDEEP:6144:id+TYpwLu4ZZq6ICeWo6NwqjHqLc0sntgokJD1auZ+0b67T:QwZDEgbwqDYQ+dD1Tw0b6
            MD5:2A1EB6664ED7D0750F0538FBAE4D022F
            SHA1:172FC9ABDC31A70590CA8F026EBB42491584A86E
            SHA-256:5A4DB250B235BDA7ACED68BE4F1C85214DB967CC377FBA7E58C475DA8ADDB5BD
            SHA-512:BFA2E5356479F479127D59468D60F66C7CDE5C27C849FAA9CAB9FB1990934798C5E4F672D6103BADE6911FDE348EE0F14F515F736BF5DE9DC09A6B0DCB79949C
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...r..`.........." ..0..x............... ........... ....................................`...@......@............... .............................................................................................................................. ..H............text... w... ...x.................. ..`.rsrc................z..............@..@........................................H.......,f.../...........................................................0..A.........~....o'....+...((......o)...,.....X...(*...-...........o......*...........$1........(+...*.0..p.......s,...%r...po-...%r...po-...%r...po-...%r+..po-...%rC..po-...%rO..po-...%r[..po-...%ru..po-...%r...po-...%r...po-...%r...po-...%r...po-...%r...po-...%r...po-...%r...po-...%r...po-...%r...po-...%r+..po-...%rA..po-...%rI..po-...%ra..po-...%ry..po-...%r...po-...%r...po-...%r...po-...%r...po-...%r...po-.

            C:\Program Files\Rigaku\SureDI\Rigaku.MRInfrastructure.v3.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):266752
            Entropy (8bit):5.954856631297247
            Encrypted:false
            SSDEEP:6144:1VBQAtApM2onw6b3ZGWkDxH53f/GM67b:LSM2ondbAJDDfg
            MD5:B61A62E018672E88FB698C8CBB256491
            SHA1:F488912BC4C35B8A5E43FADE063C8DC94876AA79
            SHA-256:0D798FD8EE522C2F355E2BF8D66582D5847B5585F018AFDFE53B7A12D46880CC
            SHA-512:A8D6707363B8D56BC482383DC1159A23FD81B7341C82EA8F35C1319B9333D13669933449EF9FF77EE3226868EB450B04E8F88965093D7C81F3B48764EC02C051
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0.................. ........... .......................`............`...@......@............... ...............................@..X...........................X&............................................................... ..H............text... .... ...................... ..`.rsrc...X....@......................@..@........................................H.......,................................................................0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*n.{....,..{......s....o....*r.(......}......}......}....*r.(......}......}......}....*..(......i.3.....}........}........}....*..}......}......}....*..{....*v.{.....3.*..}.....r...p(....*..{....*v.{.....3.*..}.....r...p(....*..{....*v.{.....3.*..}.....r...p(....*.......%..{.....%..{.....%..{.....*r....}...

            C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Basic.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2413056
            Entropy (8bit):6.5580420016222805
            Encrypted:false
            SSDEEP:49152:vCnxZgi8W20PY5VKK6rnbEieSMU9V7KqSDJdjI4IAQhyew6fYfeeRD9us5ILcQxl:vgpShqtr64
            MD5:ABE796ECFDD5460E258F9BF1C156B311
            SHA1:46136D422B6F8B290420A2433651194A62D52E8C
            SHA-256:2372E94255EBB523D395F9D8FA817BD9090E27FAA428490A625DE3CC7B47F2E4
            SHA-512:8D0E5F75E3021550324FC5D5117765F62C1D5FD35522E81FEC2E746AE528E19705DF197984A7AD61167B34E3CF0315A7B1489EEAE2C1A9BB88D1BA92CBD85DAD
            Malicious:false
            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........|..T...T...T...]eu.F...O.z.V....w..P...JOu.V....!.W....w..r....w..\....w..S...1{..S...T...F...D..O....v..}....v..I....v..U...T.q.U....v..U...RichT...........PE..d...!..`.........." .........`...............................................@%...........`...................................................!.T.....%...... #.$.............%..*......T.......................(...................................D...H............text...\U.......V.................. ..`.nep.....N...p...P...Z.............. ..`.rdata..8........ ..................@..@.data....6....!.......!.............@....pdata..$.... #.......".............@..@_RDATA.......0$.......#.............@..@.rsrc.........%.......$.............@..@.reloc...*....%..,....$.............@..B................................................................................................................................

            C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Film.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2671616
            Entropy (8bit):6.530186746858895
            Encrypted:false
            SSDEEP:49152:CO1TSwdTW2sEdQnjestkYjkj7IC7mEVDgPvQT5F9llxdjI4IAQwheg/YwVbH50kN:CWTSC7/vXRO/8/l7
            MD5:09A3193917B4D5C5B4DBE7705DD08731
            SHA1:E6138F9999F278E4EDB4BB74B974DD770F392686
            SHA-256:CA850DDB2124894F5A3BD00EE70A2AB2B9134E6B0B8AFAEED7228B9344E57562
            SHA-512:012CB7BD83D626C192C11EF51A90B16912E0AD32066083A47B282152D1D6E58F762BEFDBB038F02FA2896388EE52080C3667521949B08934A6CB3ACABEAAF2C6
            Malicious:false
            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......../n=QN.nQN.nQN.nX6.nCN.nJ.nSN.n4(.oWN.n.$.oTN.nO..nSN.nQN.nEO.n...nRN.n.$.oyN.n.$.oYN.n.$.oXN.n...oFN.n.%.oiN.n.%.orN.n.%.nPN.nQN.nPN.n.%.oPN.nRichQN.n........PE..d...b..`.........." .....t...r...............................................0)...........`..................................................t%.T.....(.......&..T............).8.......T.....................".(...................... ...............H............text...$>.......@.................. ..`.nep.....3...P...4...D.............. ..`.rdata...............x..............@..@.data.........%.......%.............@....pdata...T....&..V...h&.............@..@_RDATA....... (.......'.............@..@.rsrc.........(.......(.............@..@.reloc..8.....)..0....(.............@..B................................................................................................................................

            C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.Powder.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):6559744
            Entropy (8bit):6.5855285830104595
            Encrypted:false
            SSDEEP:49152:3pbYeSiC6NupgIGuWAkR4CzhrTOwXhdNWC9rfHDwVMI4ZezpDjpSfxS1vXVk810J:pYiIW4MJTOwcJ4Za1w5wBVAwsDogc
            MD5:2DDC73A6D42E2F7404985EF3A29CC64D
            SHA1:D951CC457AA4A508FFDDE66613FE66A104028429
            SHA-256:DCA3B5FC6EB09B2ECA239AB3DBF1BF062FB73206D0D0EB7C9C88128071056661
            SHA-512:AC9A1C4BEEB23C08C804943B79DF01289955A52F415FC8A653204C16318C9EDBE664E2B536589FB732FE1C8E1F686D68F4AC2C0A0ABDDC061F9AC2BDE3FD443A
            Malicious:false
            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......^S...2...2...2...JR..2....]..2..X...2...`R..2......2..X...2..X..52..X...2...k...2..Y..z2...T...2...2...3..Y..{2..Y>..2...2V..2..Y...2..Rich.2..................PE..d...]..`.........." .....b6...-......'4.......................................d...........`...................................................^......@d......Pa..............Pd.TI...C:.T...................PIX.(....D:...............6.............(.8.H............text....`5......b5................. ..`.nep..........5......f5............. ..`.rdata..8z(...6..|(..f6.............@..@.data...(K...._.......^.............@....pdata.......Pa.......`.............@..@_RDATA.......pc.......c.............@..@.rsrc........@d.......c.............@..@.reloc..TI...Pd..J....c.............@..B........................................................................................................................

            C:\Program Files\Rigaku\SureDI\Rigaku.PhysicalFramework.xPDF.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):51200
            Entropy (8bit):5.9619831949803475
            Encrypted:false
            SSDEEP:768:Z+60Czw/Yyldpy3qjTEEMgGhM4MJWo5OAo8AXOiKs2:0gyldpy6jyhM1AA1A+iF2
            MD5:E16C72E61E17CA660CC185168F75941D
            SHA1:8BEE346926425B8CBCB98EC0E2501283464DBC9A
            SHA-256:572B0AE44756C84C199CACFFEF24EC08173605E8B5366499C500DA168FC2E0E0
            SHA-512:521E0960F1AD07702DEBDA0D4AA92982A58E39575542A957000BE61938B1DD5F425C2681426E3969B0EE32A10A45ACE256F10DCF542069D909751C269F6C3B22
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....z............" ..0.................. ........... ....................................`...@......@............... ..................................x...........................l...8............................................................ ..H............text...=.... ...................... ..`.rsrc...x...........................@..@........................................H.......D...(R............................................................{....*..{ ...*V.(!.....}......} ...*...0..;........u......,/("....{.....{....o#...,.($....{ ....{ ...o%...*.*. .).. )UU.Z("....{....o&...X )UU.Z($....{ ...o'...X*.0...........r...p......%..{.....................-.q.............-.&.+.......o(....%..{ ....................-.q.............-.&.+.......o(....()...*....:...%...%...%....}.......:...%...%....%....}.......}....*....0..U.........}......}......}.....~*....

            C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.DBManager.v4.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):103936
            Entropy (8bit):6.187446472851416
            Encrypted:false
            SSDEEP:1536:IKYdKdVCe4v+d6XDScjnJsrcAjdHGtSL8/Y6ESPKjWUbCVWVAK:IK5nCe4U6XDScFsrcAZHG67pbMaAK
            MD5:9D6D95A139D6A39D9C21118DD10451B5
            SHA1:3770351CB11D2B787C2209DAA6C30F55073DDE31
            SHA-256:5E00E3C5E7F73AF5CC4D595877BB9E3A1803F15174AE44CE031F7A3E457CE15E
            SHA-512:EDBBD190C35C4E54B6CFA73FB4DB0FC791B045E80CFC74054E7B7711499579AF181980EF53C86C80BBCD4C1FE3E9D92EF8660AB6D16CEDB872FFD406010BFD20
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0.................. ........... ....................................`...@......@............... ..................................0........................................................................................... ..H............text........ ...................... ..`.rsrc...0...........................@..@........................................H.......Dn..\...............(.............................................*..*...0..f........(.....o....,.r...ps....z.o....,..o....-.r9..ps....z..}......}......}......{.....(....o....o....(....*...0..N........s......{.....(....o.....(....o.....{....rU..p.( ...&.{....rk..p.( ...&.(....*...0.._........{....r...p(!....(....o"...(+...(+...r...po#....{....r...p(!....(....o"...(m...(m...r...po#...*..{....*"..}....*j(....r#..po$...t....(%...*.(&...*..(....*.~....-.r9..p.....('...o(...s)....

            C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Launcher.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):70656
            Entropy (8bit):6.646233281151963
            Encrypted:false
            SSDEEP:1536:0NSB+rI0eXCADcr5Y8e0mOBJZGTxWi1Q:0No+rI0QCADcr5FGT2
            MD5:7BB8BA8A4A28A2AC3F494A81B647890D
            SHA1:5697A16B9C87F8BADEDE311B0479EB1969C6A5BE
            SHA-256:12675D95EB140FE3884F47681531FA43C2B13C0680272CC16B307C31CC5E6F3F
            SHA-512:BE525EAB6EC71506B9708CCD0D4DD5D68AF23378E1BE265A44292E35ADEE33966A0CD471E183575E64268ADB8E16B7E0C35A5FE9993E928EB45BB4090CE7368E
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....j..........." ..0.................. ........... .......................`............`...@......@............... ...............................@..0...........................@*..8............................................................ ..H............text........ ...................... ..`.rsrc...0....@......................@..@........................................H........;...g..........h...............................................0..8.......~..........(....~....-.s...........&.....,..(.....~....*.........#.......... (........{....*"..}....*J.(.....r...p(....*.0..N.......~..........(.........(....s.....s ...(!...t......,.(.....o......&...,..(.....*..........0@..........;C.......0..4.......s".........(....s.....~....(#....o$......&~%.......*........))......6..o....(....*.s.........*..*..*..*..0..f........(.....o&...,.r...ps'...z.o(...,..o)

            C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.Logging.v4.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):181760
            Entropy (8bit):6.708201486148369
            Encrypted:false
            SSDEEP:3072:Ot52GTUNwbHqX/IynIJTs4+TClff32rB+i1MiL2+Pz:O6GoN0HqPINTstTCFf3Hi1LPP
            MD5:2FCDB15BD575B513AA5CF69ABD81304D
            SHA1:607821866B78F32AB4322F3AB5427BCBE8F8F115
            SHA-256:1679C065CBB5AA1D3C3CF43B6693BBC4476C40278CE6156867C77CDCA4435E78
            SHA-512:4B27AF79EAE24D8B7E70EAB29A1C8EAD49579C990C63D71EC42E97391DA6D271F8040F07AFBA6AAC5709453BEE34260F834614ACA1AA6EECC02AB57493F4AB46
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0.................. ........... ....................................`...@......@............... ..................................$...........................p................................................................ ..H............text........ ...................... ..`.rsrc...$...........................@..@........................................H.......................|..._..........................................>. 4......(....*2......o....*:........o....*.0..,........o....r...p $...........%...%....o....t....*&...o....*..(....*...0..=.......~..........( ...~....-.s...........o!...&.....,..("....~....*............#..!.......%-.......0..N.......~..........( ........(#...s$....s%...(&...t......,.(.....o......&...,..("....*..........0@..!.......;C.......0..4.......s'.........(#...s$....~....((....o!......&~).......*........

            C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):80384
            Entropy (8bit):5.941280719339009
            Encrypted:false
            SSDEEP:1536:P4UI/iyu2iY6RylvcFP5yTp2/yGZpRRku9n9AXMXkL2/Rv3yflIkwec8B+8Kg:wUEptUyT8ZpvkC9AXlL29yflIkDa+
            MD5:6DE21B805D3DDE36983129D8D5DC5C4C
            SHA1:D2D4DFB3FC758B7AEE06D416B73BA0D8A0488D1C
            SHA-256:BB3C75DD55094B800C0975650A0D3F6B591A6104AE828687B3577DACD02E0C87
            SHA-512:052F1B1BF0F0E934132DFCC26FA94E925E2A31390E790BAC8F022638B3301653CC3CA7E2AB1FE2FF02362DAF584BCCFD9F116450BCC19B39F76B92B69D734608
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0..2............... ........... ....................................`...@......@............... ...............................`..............................0P............................................................... ..H............text...h1... ...2.................. ..`.rsrc........`.......4..............@..@........................................H........................<..x.............................................{....*"..}....*:.(......(....*..(....*..(....*V.(......(......(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..0..K........(......(......(......(.......(.......(...+(.......(...+(.......(...+(....*..0..'.......~.........(....t'...........(...+...3.*..0..'.......~.........(....t'...........(...+...3.*.

            C:\Program Files\Rigaku\SureDI\Rigaku.Plugins.UserManager.v4.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):275456
            Entropy (8bit):6.319519696151917
            Encrypted:false
            SSDEEP:6144:ZydCI+vZtZSzd3fxO6XtKhP476HTYl1EJTNcijZx4Z9S5tDobj3vbhPqwhPbNw4a:ZydGvZtwlfxO6XtS47kYaLTL6M
            MD5:C71D66108656BAB26C25BAB3B7763AE3
            SHA1:60E415B81301DE1C2E8D58910CE13DCDABB5EE66
            SHA-256:6DE348DC4A128DB94AB2CA0B3B7AA2D0DCA2543005D89DD63AC2950E83CF0E66
            SHA-512:10899128B61BF643331AF580D997941F0C2874700C91FA68A39E6BAAF529321B94FF9A77491B998C3CEC34C3A9D5EB06038509B9C2F37395CC07639D8E0149D6
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0..,............... ........... ....................................`...@......@............... ...............................`..<............................I............................................................... ..H............text....+... ...,.................. ..`.rsrc...<....`......................@..@........................................H............f...........[..8...........................................>. 4......(....*2......o....*:........o....*.0..,........o....r...p $...........%...%....o....t....*&...o ...*..(!...*..*....0..S........("....o#...,.r!..ps$...z..}......}......}.......}......{.....(....o%...o&...(....*..0............{....s<.....{.....(....o%....(....o'....{.....(.....(....o(...(H....(....o(...()...s....o*....{.....(....o%....{....o+....{....rY..p.(,...&.{....ro..p.(,...&.(....*...0...........{..

            C:\Program Files\Rigaku\SureDI\Rigaku.RLPS.DI.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):1884672
            Entropy (8bit):6.352979258663521
            Encrypted:false
            SSDEEP:49152:4HVTsx6hxlvEqlMJgy5hamzsdqdKx9v2:AwgylGd2
            MD5:14424D25F48EE0A72763B8AD00647A7D
            SHA1:777286204550B4FD47E8A311A57984B1B76475EE
            SHA-256:5D12C529666C47735990AE27739883DD8DFADDDCB27E8B60C1EE82BEBD37ED3D
            SHA-512:79FF9ADD5C11700BD755EAF1971A270D77053D181D059D711D7CA2F36DEF4333D1047BDFF07328BDCEA80F1FB4952DA54D0F9DEFF17DE9D69BE142FD3CD245A0
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...C...B...C...B...C...B...C...B...C..B...C..LC...C...C...C...B...C...B...C..nC...C...C...C...B...CRich...C........PE..d....^.b.........." ........ ....... ........................................P............`.....................................|w3..J..|...P........p..8.......p...............D... B..p............................B..8............0..H...........................__wibu00...............................`__wibu01.....0... ..................@...__wibu02H....P.......N..............@...__wibu03d....`.......P..............@..@.rsrc...8....p.......T..............@..@__wibu040............Z..............@..B__wibu05.............\.................`__wibu06.............D..............@..@__wibu07. ....... ...D..............@...__wibu08.0...........d..............@...__wibu09.........~...D..............@....d..............................

            C:\Program Files\Rigaku\SureDI\Rigaku.RigakuCommonTools.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1498624
            Entropy (8bit):5.884162467733259
            Encrypted:false
            SSDEEP:12288:DCJwdtR/aRapBXIg3GLBOqZW6wC+/p6LpGtVcieF4y:DgMH/maBXDGLBOqZW6wC+QLpGHcieW
            MD5:40917EEC970A5645BB77B2F84AAC9C69
            SHA1:41B2C828DFC8683B73CEE53742D84D7839AE8B19
            SHA-256:D34B80486998BFC95834B889614E427355B2C1FBC9554B2D64CAADBE5B4D6BF2
            SHA-512:FC9635C478EE88B7AB3DBBB0315BE4E2A6D29B130AB65937AE06835E1DD15CB521BFBE46148C1169DD7FA5A7F4F80E37D2C19C9CE9BB4D294843E7D54B4E98CE
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0.................. ........... ....................... ............`...@......@............... ..................................4............................................................................................ ..H............text........ ...................... ..`.rsrc...4...........................@..@........................................H.......|...............8t...~..........................................>. 4......(/...*2......o0...*:........o1...*.0..,........o2...r...p $...........%...%....o3...t....*&...o4...*..(5...*..(6...*..(....*...0..7.......(.....o.....o2...o7...(.....r!..p.r1..p(....(8...s9...zN(....o....,..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...o....(......o....(......o....(......o....(....*..(:...*..{....*"..}....

            C:\Program Files\Rigaku\SureDI\Rigaku.Services.DBDataService.v4.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):27648
            Entropy (8bit):5.477162717447424
            Encrypted:false
            SSDEEP:384:199iGu4Au47NqRLi/f8C3aSIWtUcPj6VSXLeOc5nokwXT+yirUTI+nBwAsN52k8K:19k6A75SLiFh4+nI2/pI
            MD5:7A8407F139A70C4336E996DDAFDF5FA6
            SHA1:1E38C2683164A5FA746BFC76AB22AF99FAAC791C
            SHA-256:3E8F9826061D38EA24E35689CE3D07AAA65125238053EBA42A41570670695ECD
            SHA-512:CE1D71C42375C3C504840C6236673C5DA4F226DA17102115F90ABB6E18760189F0D12D10B859C554F1E9487E4E7181AC28B6F7534A2C7B431797E35F3370C0D8
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0..d............... ........... ....................................`...@......@............... ..................................D........................................................................................... ..H............text....c... ...d.................. ..`.rsrc...D............f..............@..@........................................H........(..@3...........[...&............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*V(....rQ..p~....o....*V(....r...p~....o....*V(....r...p~....o....*V(....r3..p~....o....*V(....r...p~....o....*V(....r...p~....o....*V(....r...p~....o....*V(....r;..p~....o....*V(....rm..p~....o....*V(....r...p~....o....*V(....r...p~....o....*V(....r...p~....o....*V(....r#..p~....o....*V(....rc..p~....o....*V(....r...p~....o....*V(....r...p~....o..

            C:\Program Files\Rigaku\SureDI\Rigaku.Services.MaterialsService.Interface.v4.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):25600
            Entropy (8bit):5.295824159038895
            Encrypted:false
            SSDEEP:384:DdA4rsPyNwiN5Z0qq3nIiCXtsX6y6H3CYCFSAKA7myC8G6PtWL4EQt4MvSC0zFb:BA9PyXN5Z0iXtsXd6HSojlzFb
            MD5:35DF1F3B78749EA7BA68E5DCB23CE70C
            SHA1:3BC048A714D26EE94FE8FC3357F33BF6730EE4F7
            SHA-256:6D863937DE2B94DBE16B7D477F5A4A0D1958356F9152590EC734566225C7FF81
            SHA-512:5D2BC9A929C95713F8D85964755F391A0209B621B33002EDAE1DB82E5576E715DC362E2D11933F8F53655BB572108DF4C2D3DB135C5AA115401C07F88826DA29
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0..\............... ........... ....................................`...@......@............... ..............................................................ty............................................................... ..H............text....Z... ...\.................. ..`.rsrc................^..............@..@........................................H.......8%..<T..........................................................:.(......(....*..{....*"..}....*F.(....r...po....*:.(......(z...*..{....*"..}....*..{....*"..}....*..(......}.......3...%.....(....(....*..{....*..{....*"..}....*..(....*..{....*..{.....(....,.*.r...po......}.....r...po....*..{....*..{.....(....,.*.r...po......}.....r...po....*..{....*..{.....(....,.*.r...po......}.....r...po....*..{....*..{.....(....,.*.r)..po......}.....r)..po....*..{....*..{.....3.*.r1..po....

            C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.Interface.v4.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):97792
            Entropy (8bit):5.995242889959274
            Encrypted:false
            SSDEEP:1536:cAL7115F/FPusEtsUqB5UTTur5H3PaYkFuDKCvn5DU78NwHvsnkFM2XsoZm0+NLv:D7r5FNPusEtsnB5U2H/cFObV3n
            MD5:680E95C08B958B90FDD2B56ACE8D88BA
            SHA1:C88772CA1DD262A743B5E4D3B6AF14F871BC62E5
            SHA-256:AC036B68090787B84478AFEBC322BDB703489A17CB1D03816C94BBA63DDC941F
            SHA-512:95C6372AAF35181417CC72FED3F6177639F23423BC2005CE4658224A6419ABAB8AB44B6782EA87991E37F37D2425DEAB1D98FDA95DA87CE9AC43CD942046EE99
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0..v............... ........... ....................................`...@......@............... ..............................................................(................................................................ ..H............text...`u... ...v.................. ..`.rsrc................x..............@..@........................................H.......4.................................................................(....*V.(......(......(....*V.(......(......(....*B...(......(....*B...(......(....*J....(.......(....*..{....*"..}....*..{....*"..}....*..{....*v.{.....3.*..}.....r...po....*..{....*"..}....*..{....*"..}....*..0..)........{.........(....t......|......(...+...3.*....0..)........{.........( ...t......|......(...+...3.*n.{....,..{......s!...o"...*....0..[........u....,.s.....u....(....*s....%.o....o....%.o....o..

            C:\Program Files\Rigaku\SureDI\Rigaku.Services.ReportingService.v4.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):273920
            Entropy (8bit):6.31669018298962
            Encrypted:false
            SSDEEP:3072:otj38HHujoe/a0p8XZoO1wrlLoItqEmpctcm5w19xkScQDejU0tKMaacmBtSaRIO:o9MHHzm+poO1wrNnqD6SIbFInH
            MD5:A869DF335B67548A1082677D680EB990
            SHA1:987081AC1B78C533D5D62D7F40DB33EA2BF49BC7
            SHA-256:91244B45C1BB1D076A08FC932CE214CAF95C33E44AECD9E7808A53F4B48947A1
            SHA-512:2B8CF8533F5A5122756E5CE11451797E42573DD4666908098D7755BE24A46EA146BAC3F41F1B3D50891E989921B745443B2A2CC6FF8BFD05E79AE9C08E267639
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0..&............... ........... ....................................`...@......@............... ...............................`..T............................C............................................................... ..H............text....$... ...&.................. ..`.rsrc...T....`.......(..............@..@........................................H...........H]...........x..............................................>. 4......( ...*2......o!...*:........o"...*.0..,........o#...r...p $...........%...%....o$...t....*&...o%...*..(&...*...0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.*n.{....,..{......s*...o+...*F.~....(,...t....*6.~.....(-...*F.~....(,...t....*6.~.....(-...*F.~....(,...t....*6.~.....(-...*F.~....(,...t....*6.~.....(-...*F.~....(,...t....*6.~.....(-...

            C:\Program Files\Rigaku\SureDI\Rigaku.Services.UndoRedoService.Interface.v4.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):5632
            Entropy (8bit):4.419845688102247
            Encrypted:false
            SSDEEP:96:zL47FkvIUbqwY0zI6wSsVQ3BKnorTlx5oir4bQl18X1X:zUZkvI4I7q3lv1iX
            MD5:5F9048FFB0F8DC48AED999CC92B7DBB8
            SHA1:F1D96951D5FD393690D3396A5F419ED369570E73
            SHA-256:6BB304D1715C76429273E9BF9AD46ADF3D80C0601B61EBA32345618EDEA2163F
            SHA-512:153AE9703C70C7CD3630466A13FA5A94B9C21A1AB52642ECB25F43E9091059CC1B16780A94F6410BEAE601B5A57EB86B3E080AE30EC4428399EA0FA41EC2D8D9
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0.................. ........... .......................`............`...@......@............... ...............................@..............................$,............................................................... ..H............text...\.... ...................... ..`.rsrc........@......................@..@........................................H.......t ................................................................{....*"..}....*..{....*"..}....*..(....*..BSJB............v4.0.30319......l...$...#~..........#Strings....p.......#US.t.......#GUID.......,...#Blob...........W..........3..............................................................................[.....&...........N.U.....U.....U...B.U.....U...'.U...e.U...:.......................G.....@.i.........7.....0.....N.............N...............................I.....

            C:\Program Files\Rigaku\SureDI\Rigaku.SignatureLib.v1.0.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):88576
            Entropy (8bit):5.918827475134036
            Encrypted:false
            SSDEEP:1536:Oja9FIsCbBo1WbAFDGxtQRWhZnshhrawbrggQq+PHney3mc6fRN+YN:uaaMbR1Vac8gQtPHney3m1qYN
            MD5:5F3F704EA01D9F7E68674AEA04942708
            SHA1:34A86C53D22FE94EDE9041F818AE5BA82AD9170D
            SHA-256:CB530BF0533C45F8E35BD19F815598B12E05244EFBC1426CE9BEF92D032C4540
            SHA-512:329516D3BB797CDBE08F116C8D457604A4687F8E1CABAF0DF1B4145EFFDFD5B09E133BD51E9501C514E5D15B87F107561974265522B21DDBDA7709964D7C5048
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q.e.........." ..0..R............... ........... ....................................`...@......@............... ...............................................................n............................................................... ..H............text...4P... ...R.................. ..`.rsrc................T..............@..@........................................H.......P~...............&.. H...........................................0..............(.............o....(....*....0..f..........(....-0s.........+...o.........o......X...o....2..o........(..............o....(........,..o......*..........XZ.......0...........-.r...p...(......(.............~ .....~ .....~ .....~ .....~ .....~ .....(!..........(....(..........(....(.........(".... ......(#....~ ........(....-...($...s%...z...u..... ......(#....~ .........(....-...($...s%...z..(&.....

            C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\AddDataFileResultFilesInfoConstraint.sql

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):270
            Entropy (8bit):5.01451305312788
            Encrypted:false
            SSDEEP:6:aPi8zxyLkWA3L+qowwp91wRp+njmiAHmjm82hAQ9hd:n8AkWA3LGwwpnoOjNAHmjF2i4X
            MD5:88176653746D67F2EF1ECC3E1536694D
            SHA1:A992970CC76FCA7771176A9AC8A26E0DF59BC243
            SHA-256:A1CD91F3099959C6F5F127A17E1AEEB8FFF9A2579F2FBE2C922BC62E549B6652
            SHA-512:1E7E97DF22385C9D57DB3278ABB4CA74D3B3F04922BCF39B4C19541D5A1007D6901710AAF45410CB1856B261E6168F74349753C262B0DAEA92A1737A18C4C471
            Malicious:false
            Preview:.---- DataFileResultFilesInfo ----..ALTER TABLE [dbo].[DataFileResultFilesInfo] ADD ..CONSTRAINT [FK_DataFileResultFileInfo_DataFileUpdatedID] FOREIGN KEY ([DataFileUpdatedID]) REFERENCES [dbo].[DataFileInfo] ([DataFileUpdatedID]) ON DELETE CASCADE ON UPDATE CASCADE..

            C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateDataFileResultFilesInfo.sql

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):514
            Entropy (8bit):4.788292449180964
            Encrypted:false
            SSDEEP:12:JWA3NyVzQodIql/3WJpJZgoR0CLVHsZH1OwrkJoe8NV:L3gV5d/ihgole1FkJoea
            MD5:F6BB0D7881A4AC58407FE7EB2220CF3F
            SHA1:465F49B55977DA39F85D6F92131D85F9DDB3D727
            SHA-256:A2C80BF573FCF7C00298BBABF63C46F360278921F5B334BC3FF4726C4B2A54BE
            SHA-512:8B1BBD463BE4FDA97F67D546AE91980A166F26870B6E53889267BF66F3801BCC31B457C594F8734E00785D9740F1497B6648B4111AAB1F72DECA7EFCB61DF775
            Malicious:false
            Preview:.CREATE TABLE [dbo].[DataFileResultFilesInfo] (.. [ResultFileID] UNIQUEIDENTIFIER ROWGUIDCOL NOT NULL,.. [DataFileUpdatedID] UNIQUEIDENTIFIER NOT NULL,.. [ResultFileName] NVARCHAR (64) NOT NULL,.. [ResultFileBinaryData] VARBINARY (MAX) FILESTREAM NOT NULL,.. [ResultFileHash] CHAR (64) NOT NULL,.. CONSTRAINT [PK_DataFileResultFilesInfo] PRIMARY KEY CLUSTERED ([ResultFileID] ASC) FILESTREAM_ON [RigakuDB_ProjectFS]..);..

            C:\Program Files\Rigaku\SureDI\SQLQuery\RigakuDB\CreateTablesMng.sql

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):744
            Entropy (8bit):4.900572659480344
            Encrypted:false
            SSDEEP:12:8cTMfU2IcW3QuQ3+uT5Atu+lGuXfiYGuAmp42VOoBBcGMOvC5pEP9evMQM:835InQZuK85GKfiYGlmzVHxQpEsvTM
            MD5:F6945B02E89347D670667141E50EC6D5
            SHA1:E015105C5C6AB5305EA2F71001F4FB278C12B28B
            SHA-256:80CAEBF6AE282699BE74A781EA0C1E61053B7BC5D0CBFC942C9BA3042D679316
            SHA-512:1F9851574D5295E78FC4CDA1FAA39C672622E2D4754C15A33353E7576F6FBCE04B889EA9CEE90A176A43C37582571A7C73C193926870CBD60F1B68FA6BD398D3
            Malicious:false
            Preview:IF NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[TablesMng]', N'U'))..BEGIN..-- Create 'TablesMng' table..CREATE TABLE [dbo].[TablesMng] (.. [TableName] NVARCHAR (128) NOT NULL,.. [TableVersion] INT DEFAULT ((1)) NOT NULL,.. [TableCreated] DATETIME NULL,.. [TableModified] DATETIME NULL,.. [TableExists] BIT DEFAULT ('1') NOT NULL,.. CONSTRAINT [PK_TablesMng] PRIMARY KEY CLUSTERED ([TableName] ASC)..);..-- Add all tables name without 'TablesMng', 'sysdiagrams'..INSERT INTO [TablesMng]([TableName]).. SELECT [name].. FROM sys.tables.. WHERE type in (N'U') AND name != N'TablesMng' AND name != N'sysdiagrams';..END..

            C:\Program Files\Rigaku\SureDI\SQLserverConnectionSettings.exe

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):158720
            Entropy (8bit):5.482200395210166
            Encrypted:false
            SSDEEP:3072:IbENKEi1n0u2+7h/w4hFL8F5OR7PA9QWY+0dYHCbDqfZeFIWv5pWGnoxUx0BVHy+:IbENKljhfR7PA9QWY+0dYHCbDqfZeFIA
            MD5:B98B46DE700FABB5AF7A8B6413812AC0
            SHA1:E77220041A33503E3ECC5BC97090B6CDA2220652
            SHA-256:440FC60CF593DAFEC37AF7CF93195D9B424B5680F8CE1BC4C61750FE61080007
            SHA-512:3F9922771E1AB5EF69DC652B4D01C44DB32ABED67FC3E79070564C5050C9A2404D49CA3245D3C4CAE2C9ED867D8A00B526103DEEECCA8B823EB1CD4CE834081A
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."c.........."...0..V...........u... ........@.. ....................................`.................................8u..O....................................t............................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............j..............@..B................lu......H........2...'...........Z..............................................6.(.....(....*z.,..{....,..{....o......(....*....0...........s....}.....(.....{........s....o.....{.....(o.....{....r...po ....{.... F.....s!...o"....{.....o#....{.....o$...."...@"..@As%...(&.....('.... i....4s!...((.....()....(*....{....o+.....(,.....(-.....(.....r...p( .....(/....r5..po0.....(1.....(2...*.........s3...s4...}.....{.....o5....{....o6...*..s......}.......{....o7...&...{....o8...*....{.....

            C:\Program Files\Rigaku\SureDI\SlimDX.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):3718656
            Entropy (8bit):6.195345262547764
            Encrypted:false
            SSDEEP:49152:cZ+xRaVRQqfMu+QwPa7P1BMqQH8QRJsAW/eYfRx/L+AJK3QJW67eIlTpVcZyRTAq:kMu+QwPhc5
            MD5:65E2CEA2290BBE320B8D4EA859E99383
            SHA1:6DD336CC72FAA41E3F6B8A09E703C113523BFBFE
            SHA-256:B0C066F6755097E6DA1E4F54F8630272DE3A69AAF39824228EA8391817C38339
            SHA-512:DCDF50E23F95CBECB04544FC28C0FF2597A14CEE1F012954212F2DECCE6FF03C66E7C04E518F8EAAF0925C475FFE4328695DCBDC2EDCE69710D67D0B27DF8BA6
            Malicious:false
            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......J.........................................5.....................a.4.......0.....a.2...............................4.....................Rich....................PE..d.....*O.........." .........4%......X....................................... 9.......8.......................................................6.......8......P8..8............8..U......................................................X.....6. .......H............text...gL.......N.................. ..`.nep.....S...`...T...R.............. ..`.rdata...=#......>#.................@..@.data....@....7..&....6.............@....pdata...8...P8..:....8.............@..@.rsrc.........8......D8.............@..@.reloc..Zw....8..x...F8.............@..B........................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):503296
            Entropy (8bit):6.601449565504859
            Encrypted:false
            SSDEEP:12288:1xzYSokXGri5d79xEm9wfjEF8G3WQFILn:1lMkXGghxEm9wfQ+oWcIb
            MD5:FF04878E8169F732FDE8BD16DFB20A35
            SHA1:BE7B5A11093E7FE3440E0060445DA27769F17E82
            SHA-256:70123729AA2019BBBC1AD35D28138D4B77337E8870D8145242A0571EAAFEF392
            SHA-512:E0F062219B61CC395C3D4AAC04991618E43AE8158648DFDD7AB94F7F6D45C06E821C756953AC66A63EF6AE707AE78168850FAB73BCF0758FA5EE77E10E9C6FC3
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................"...0..$............... .....@..... ....................................`...@......@............... ...............................`..X............................B..8............................................................ ..H............text....#... ...$.................. ..`.rsrc...X....`.......&..............@..@........................................H............j.............. O............................................{!...*..{"...*V.(#.....}!.....}"...*...0..A........u........4.,/($....{!....{!...o%...,.(&....{"....{"...o'...*.*.*. +2.. )UU.Z($....{!...o(...X )UU.Z(&....{"...o)...X*...0..b........r...p......%..{!......%q.........-.&.+.......o*....%..{"......%q.........-.&.+.......o*....(+...*:.(#.....}....*..{....*..{.....(,...,.*.r?..po......}.....r?..po....*..{....*..{.....(,...,.*.rU..po......}.....rU..po....*..{....*..{

            C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe.config

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (745), with CRLF line terminators
            Category:dropped
            Size (bytes):6273
            Entropy (8bit):5.1040005734783085
            Encrypted:false
            SSDEEP:96:an+F/+eiwuRBd1z0RBd15NPpzRBd1FQ4gmKqCuNzKgYRSDfCQpGrV1Y:6wxiwyaNPptA4n5tffCPrV2
            MD5:B5F33FD1112164E8C9CCEDC78001124A
            SHA1:B2A68122CE7BCE881BE1E68FE0D1ED08B158C260
            SHA-256:BCC100C093100042BB71172BC79E13B0987C742AB235D94EB02F87E7F6ED1B85
            SHA-512:2A1734825613A08C48D07A934F227DF57D564DE47A3E32E9BEC003F90BB49E8F207E213F3870B5D3A149575BDD6181A7638C8605F785A6D19D81E38713DD547D
            Malicious:false
            Preview:<?xml version="1.0"?>..<configuration> .. <configSections>.. <section name="loggingConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.LoggingSettings, Microsoft.Practices.EnterpriseLibrary.Logging, Version=5.0.414.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="true"/>.. <section name="exceptionHandling" type="Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Configuration.ExceptionHandlingSettings, Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=5.0.414.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="true"/>.. <section name="interfaceLanguages" type="System.Configuration.DictionarySectionHandler" />.. </configSections>.. <loggingConfiguration name="" tracingEnabled="true" defaultCategory="General">.. <listeners>.. <add name="Rolling Flat File Trace Listener" type="Microsoft.Practices.EnterpriseLibrary.Logging.TraceListeners.RollingFlatFileTraceListener, Microsoft.Pr

            C:\Program Files\Rigaku\SureDI\System.ComponentModel.Composition.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):110856
            Entropy (8bit):6.121824378141981
            Encrypted:false
            SSDEEP:1536:GV9Nlw3Ig3uXZVpd+F1stVFZ+Mcs/8bnTR7heT+PgDX/oUGmaYJ:wHlw4yOZVpd+Favw7xEOgDX/oUG3YJ
            MD5:1037370A013C5CE0D89BFF2B325D3DB9
            SHA1:D527DE8E71B6E0ED86EA7B3CDA892D90AE75A365
            SHA-256:AF91067327D1B137F85F3B68F4CD192458B481CDFE549E7A08A423A540D3BA48
            SHA-512:412B7B2AA8C436B523094DD760317734ACFAC48DBBA197911189B84CA4B63D574EDE4D90393ACD3A1CA3E5F85C043E75EF6D08725109FAA8ACBBA5B34A2CE8F5
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0..h..........z.... .........e. ...............................a....`.................................(...O....................r...?........................................................... ............... ..H............text....g... ...h.................. ..`.rsrc................j..............@..@.reloc...............p..............@..B................\.......H.......X%..X............1..xT..(....................................................................................................................................................................................................................................................................................................0...............0...............................0...........................................................................................0..............

            C:\Program Files\Rigaku\SureDI\System.Windows.Interactivity.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):55904
            Entropy (8bit):6.299047178318044
            Encrypted:false
            SSDEEP:1536:BYQaIZaEmaOQxn6JxKjtlMZAnuETAV+w4:aIhOQcSLAj4
            MD5:580244BC805220253A87196913EB3E5E
            SHA1:CE6C4C18CF638F980905B9CB6710EE1FA73BB397
            SHA-256:93FBC59E4880AFC9F136C3AC0976ADA7F3FAA7CACEDCE5C824B337CBCA9D2EBF
            SHA-512:2666B594F13CE9DF2352D10A3D8836BF447EAF6A08DA528B027436BB4AFFAAD9CD5466B4337A3EAF7B41D3021016B53C5448C7A52C037708CAE9501DB89A73F0
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W."Q...........!.................... ........ ;. ...................................`.....................................K.......................`>..........H................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......,O...`..........pD......P ......................................g.=d.N:..K..=mU.....M......^.....@........h.pX..9.web.~M}.R9 l9..2.....1S...{^..Pn....8.6k...S.-.K..$uXpy....t.'.%u/...+VC6.(.....{....*...0..&........(..............s....o.....s....}....*...0..K........(.....{....o........,3..+&..( .........{.....o!............*..X...(....2.*..0..L........{.....o"...,=(#...(..................($...o%.......(&...o%.....('...s(...z*.0...........o).......E............d

            C:\Program Files\Rigaku\SureDI\TouchKeyboardNotifier.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):12288
            Entropy (8bit):5.325704894941208
            Encrypted:false
            SSDEEP:192:DirjPKMKye8Rw3GxUsg7Zx8KA8aBaUMcfhwjHZFKxozvYu8O+F9KRnXEblWq:x1qe3UU/7ZBaBazkwpbH8OiKRnXEZWq
            MD5:ED272714F0B93B2EA2CAD039AFD6B367
            SHA1:F4B596DAB009BBA7342CA631C03EE6D1972549B5
            SHA-256:C4E5E1F9FFFCA9471C7CB168CC6745ADBE5C9635DB6DE7E499BEA7329DC28D6F
            SHA-512:EB4F3D6FCD9E2A6812E24DD12F9807EB634A2E00B2F41D743591D504C1D70493B93234619CC0CF338DB3888312EBFA4EB991279046CC22F04692E0EA294C9AD2
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...@q._.........." ..0..*............... ........... ....................................`...@......@............... ...............................`...............................G............................................................... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@........................................H........'................................................................(....*.0..6.........(.....(....-.(....o.....+..(.............s....o....*...0..Y........o......,M..(....}........(......(.....{....(....X(.....#.........{....s.....s....o ....*....0..M........u......,B........s...........s....(............s!...("...........s....o#...*n..u....}.....{....,..($...*n..}............}.....($...*n..}............}.....($...*....0..*.......#.........(%...u......{....9.....9.....{.....(..

            C:\Program Files\Rigaku\SureDI\UpdateSQL.exe

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):733184
            Entropy (8bit):5.727518135987406
            Encrypted:false
            SSDEEP:12288:w3JRU5vc5i0r0fmPoeJS+Z6nsggCUVfoP7jBR7PA9QWY+0dYHCbDqfZeFIWv5pW/:wfigS+Z6nsFCzDNR7PA9QWY+0dYHCbD4
            MD5:C0D0D3CA2A6A6036D3D3DCDFED94E66B
            SHA1:A037040E7E9F5040702872F6D1FD9FF1F2648239
            SHA-256:8306FBB3981E0A9CAC4B7E25E91D0385A45A37B0A4BC6A33B5C7A8DC9C58D348
            SHA-512:CD4E12ACD9A4F55E852FEB6E16832886AA39D86EA22A0EF3886CA77311133061D680D0760B067C90BF52E2B1731AD377A6D94D026A0F8D2686B84C23549A849D
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...n..d.........."...0.................. .....@..... .......................`............`...@......@............... ...............................@...............................9............................................................... ..H............text........ ...................... ..`.rsrc........@......................@..@........................................H.......\................................................................{....*..{....*V.(......}......}....*...0..;........u......,/(.....{.....{....o....,.(.....{.....{....o ...*.*. ...4 )UU.Z(.....{....o!...X )UU.Z(.....{....o"...X*.0..X........r...p......%..{.............-.&.+.......o#....%..{.............-.&.+.......o#....($...*.0...........s.......{....o%....o.....;...(&...r]..p('.........((...tn...()....*...((...tn...()....(.p....p...(&...(+...(,.........%...(...+(...+o/....

            C:\Program Files\Rigaku\SureDI\WupiEngine64.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):102976
            Entropy (8bit):6.133818827200714
            Encrypted:false
            SSDEEP:1536:7VHvTIsHjnEwYZgOHPDpDURsJWJ5zK7fs8oMHc8e8sW4drLVHz19O:VTBDnEwYZHLpDURssQj4TrLVT19O
            MD5:E9B19D5C697FF490BB0558FE97A5645D
            SHA1:43CBD270AF98434036D9427193C552C4EAAC69DB
            SHA-256:ECF4347E6D9FA6A0EC3CDFDC0985371005ADFE9C15AEF94F7A9B8C51BCBFA2E0
            SHA-512:6628D79B7E517B4F74F27FCBEF449E6DD5609804CC3566370B0D0AD9F635B1FBD335AD73772BAE85A2F16EF6CFAA77794DE454FC4EE0156BFC94CEC749721DFF
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../.`./.`./.`..{..,.`./.a.`.`.i..2.`.i..J.`.i..'.`......`......`......`.Rich/.`.................PE..d...-p[X.........." ........................... ..........................................`..........................................B..t....F..(....................^..@4......4.......8...........................`8..p............................................text...=........................... ..`.rdata...m.......n..................@..@.data....9...P.......6..............@....pdata...............L..............@..@.reloc..4............X..............@..B................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Rigaku\SureDI\WupiEngineNet.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):11696
            Entropy (8bit):6.087791670168019
            Encrypted:false
            SSDEEP:192:CDIf3jj8zlk6+EhQUy4G335/wJirNmL/ClhI+ebCfjQpkqs1Il7ro:CDIfjj8z/xLY3mirILIhebCP1Mro
            MD5:36898EFC481969F6471AE6B47A929FBC
            SHA1:5F006C1EDE6FCFA5213003AE25A0DF47408C1E3C
            SHA-256:5E6ACC74FC4743EADC7336004309C25B9F3FB81B9BD0DD3F7D54B1681D00BABB
            SHA-512:F971CAE55431968FE51C195E5CB02C5DA0A2941328D59B3653B56D97A6E7C392CC5EC38001E93B840E295651661F9F0CDFB3E5AADA468746EE207951D38AF471
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....P...........!.................-... ...@....@.. ...............................>....@..................................,..K....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......`!......................P ......................................fd.P.i..0.k.4..'O....uQl%j.L/..$..(j.]...1X..Q..S.%)..)...R.!...R.....S2m.@...,..X..5.7....7E.H....nk.....R.~.A.Q.4.._<x..y:.(......}....*..{....*"..}....*..{....*"..}....*:..}.....(....*..(....*..*..*..*..*..*.r...ps....z.r...ps....z..*..*..**.......Q.*..*..*..*..*.BSJB............v2.0.50727......l...L...#~..........#Strings........,...#US.........#GUID.......x...#Blob...........W..........3........

            C:\Program Files\Rigaku\SureDI\backup_SQLRigaku.cmd

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4522
            Entropy (8bit):5.273659362068401
            Encrypted:false
            SSDEEP:96:tWj52qBxIwhM720Ka9D+PjVPX5+Nys+CyH+kyBv:aXhM720Ka9DAjtX5+Nf+CU+kCv
            MD5:7832BF68297E3862E75BF1698C459BC7
            SHA1:497871AE34C9AD5ACB003BA8E5B6F135648C72F0
            SHA-256:26FD5705264DB5739188DDAEB2D4EC0F2A4180B2BD7E28142B53C576CFE7AB28
            SHA-512:1DEDD41BC486BD69C56ECB6E8513DAA50BF7280E2CE66F3FD9ACB92DD10F46BFB82F28102349E79AAF9D66E12B4B6DED213829403890B8F41324E2C7F1649CE7
            Malicious:false
            Preview:setlocal enabledelayedexpansion....set Gen=1..set BackupPathLocal=C:\ProgramData\Rigaku\SureDI\AutoDatabaseBackup..@rem set BackupPathNetwork=\\192.168.1.2\disk1\AutoDatabaseBackup..set BackupPathNetwork=C:\RigakuSQLDB_back....set tm=%time:~0,8%..set tm=%tm::=%..set tm=%tm: =0%..@rem echo %tm%....set uscurdate=%date:/=%..set uscurdate=%uscurdate: =_%..set curdate=%uscurdate%_%tm%..@rem set curdate=%date:/=%_%tm%..echo %curdate%....@rem "Set the backup folder name"..set CurTimeFolder=%BackupPathLocal%\BackupFiles\%curdate%....@rem "Create a folder for log output."..If not exist %BackupPathLocal%\log mkdir %BackupPathLocal%\log....@rem "Create an empty log file."..set LogFile=%BackupPathLocal%\log\backup_SQLRigaku_%curdate%.log..type nul > %LogFile%....@rem "Create a folder to back up"..mkdir "%CurTimeFolder%"....@rem "Set backup file name"....for /f "tokens=2 delims==" %%G in ('wmic os get localdatetime /value') do set usdatetime=%%G..set usyear=%usdatetime:~0,4%..set usmonth=%usdatetim

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Data.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):175896
            Entropy (8bit):5.050621571226441
            Encrypted:false
            SSDEEP:3072:GBxa77DYYjgtEhhiAbEMXPX1XbVYYVqSNJG7KNa0e5DgIeq3f:eaHDVhJXv1XbVYYPsKNa0e5DgIX
            MD5:11DD6288CAEF138CFECCF4246ECD5C31
            SHA1:618E5CE657E6BAD643B20E6962C4D6E159E672F7
            SHA-256:637F478FCC007DD3EA4A9CB2AEF00B27AAB0727410F58EC5A3B2DE00FE9C450F
            SHA-512:A86C7D4C4B0D66F20FD1722655D20A5FE984FE8168696A7077B2F8EF7F30173D6C14CE88A322E8E90E62281D98E554EAA39EB5F9A2C657E1C29C938572162273
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|^...........!..................... ........... ....................................@.................................@...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H.......@................ ..p...P .......................................H../3..........`.J.....@....tT.QA.9F....@...6.>.x....D7...w./0E.1Y......?!%......X..~[.k.Z...u.$[......}..ps..[}..$..j..8c.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.....1...[g..N...b...W>.....$.z.....A.[....T.....j-I.[...I$o......J.&.'.o.............J.4....

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.DataAccess.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):59672
            Entropy (8bit):5.631924262866675
            Encrypted:false
            SSDEEP:384:f3W3tSy8H/seqE/AYMSxeURogYMcLhBbZJRESRQdPN0NpBeZvDgf2h6i:YgfH/AEfxu/DZJ/w6OZvUf2h6i
            MD5:DF52D641C5F147631C88233B8373FD33
            SHA1:FCFB9EE5E4DD0A7F92E2AE8F2A33725DA52FB117
            SHA-256:D6A10C6F9E3AB1BAC4F97889EC6C14FF52AE37730D12B8090639B7555B37686A
            SHA-512:14274F21A417588C08380C85A394AC8E1ACE46B0078373A8E244674B33AFB10EE6DD3246035B25F15B655BD92C1F25BA13C46B130947628316E8E54A5C1FBF40
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|^...........!..................... ........... .......................@............@.....................................O.......@.................... ....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...@...........................@..@.reloc....... ......................@..B........................H........................ ......P .......................................\.i?c...wQ..."...).....k...(.>M\.k....oG..L..Z'2ki........L.,.y....}^....B........ij....>.6....G......?7<..N......b.JY.)..j.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPEc..,s....i....x.......V..s......b..~.$.T.%...%..r.....sH.....Sp(....bpZ..pZ.%R..6..4...m..

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Office.v19.2.Core.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):32536
            Entropy (8bit):5.687293673654376
            Encrypted:false
            SSDEEP:384:TdVWhCmikF9JnuhyxreouXcITR4AA4CjoWbC2SBe4RDgf2hW:xVWhCmikF9JnugxreXcw+1C2DmUf2hW
            MD5:22A36F704084CF9E1BEBA123D2810EB4
            SHA1:3073A814535590F0789F5F71441D6DB06971F05D
            SHA-256:2F600B901FDC66E81077B06CE14B3BE4ECC34DB1833A641B0932767AB51FEF50
            SHA-512:F66E7BD3DEA2767DED2F283EC7F8A7D83203879CFA3933A1CA090D55622BA520EE6DC0C76C14CD7A3FE3180C9EDD4F46A0822D19AC732DC04853206CB17A7BAA
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|^...........!.....Z...........x... ........... ....................................@.................................4x..W.......P............d............................................................... ............... ..H............text....X... ...Z.................. ..`.rsrc...P............\..............@..@.reloc...............b..............@..B................px......H........s..<............ ..%S..P ........................................a2...F....%......sF.....$p.<.C] ...[..@..^6....Cz....K.j..N..p.mW...M-.?...j.../.Xic.=.@@....}....[.f.!.I. .......)J>!S.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP7...'...m.G:?...........9.....\c..E!..i.....#..g..bC.v.......g..eb..6.....X....CQ.Q5k.....

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Pdf.v19.2.Core.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):11544
            Entropy (8bit):6.341954373988819
            Encrypted:false
            SSDEEP:96:SKdKKA5Q/R0zh+ltcpHN8sWc4siOwzKgmB30azYoB6hbWCIlhkbwRa9aH2n/lVxv:5gs0U84svB/7qFgh7a9sgfxIZH9r8
            MD5:E35D6ACE3D60CCCD7EA7037BB807794C
            SHA1:5EFC2D24CF40FA990B43E8D86C7E0224D1D9FEFE
            SHA-256:B7819B79881B89D160E57300A94199B2BE58AD080947FDCB72318F41FE36D675
            SHA-512:41A51F4E0775220D9D263B205832C0135B0DE52610FFAC6D946EC2C798ADF89EED09968256E376F802A60902D5BE9B20536EBA63A62B8F4C6E95460B755839D0
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|^...........!.................'... ...@....... ....................................@..................................'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......H#..@............ ..w...P ........................................jT..jJ.....S@.|.....'.F.....tPW]K..M....(..z9.#....3......._.z........R.$.=.....Gs_...X..p....D.......O..s...`d.I7.qo(s..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.1B.....`....X.........K.......8...FP.d.f.C.o.r.e.S.t.r.i.n.g.I.d...D.e.f.a.u.l.t.D.o.c.u.m.e.n.t.N

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Printing.v19.2.Core.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):73496
            Entropy (8bit):4.945674816275812
            Encrypted:false
            SSDEEP:768:zU0RyeuxiCjuCATsEXBokOlwpeeLYpORNyxIE89LKH2Uf2h0:zU0R9uxiCj8+9OR6IRE2Ufn
            MD5:D6A59E104185E5DE21447182D283489F
            SHA1:A74FF6C6BF3AAF7D427A7C866195261CA8633E6E
            SHA-256:ECB29BD0E46FC5EDFFCC29463CD9196F1FFA45A6BC672234CA3D3E76FA132737
            SHA-512:960EBF81128EBD7379E22262850021DCB8E29793797A5DFFBC9C57AE50F7116B247AB2CF58A424146D74D49BB59928E2AF4D9CD35565BF93A4B7D353B6C8848B
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|^...........!..................... ... ....... .......................`............@.................................D...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........x............ ......P ..........................................@E.2.)*.C96.6^.k.x....l..?.x.H.....d...:.h.c.....].....63..........g;{..9.tl@..*.'.m...%.....<..Z.3.. ...>D#.......,................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.....M>..M>..M>...7.'...P1....K....%.. 7..R..]]/..a.*`..s..Bst..-...<.. .........26.n.N...N.

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.RichEdit.v19.2.Core.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):215832
            Entropy (8bit):4.995963087297162
            Encrypted:false
            SSDEEP:3072:8mLpteYn2p9LsAafnC3UWWUgihD5YtZohbKUuTzZiDkW3i3+EOW9H63QrrwDJZDJ:97eYn2pnUihNYyDMffrrwFZd
            MD5:FA74451C06412DA1F01FBE643CFF4575
            SHA1:55745B1BB545E28BE498676A42E1909D2592C92E
            SHA-256:870531C97B2DAD2DDF40069FC3C2FE6E1EDE7200907723A705189A86B00173DC
            SHA-512:1CEFA3DA78E50F93DD774F1A17854BA60A0D49A7FF5A8CA63F085E3677CB3543BE7893807FA74B38ADC9403C5BD1DC41729A09167401B9B7DE63BFE49AD3D007
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|^...........!.....&..........^D... ...`....... ....................................@..................................D..W....`..`............0............................................................... ............... ..H............text...d$... ...&.................. ..`.rsrc...`....`.......(..............@..@.reloc..............................@..B................@D......H........?..H............ ......P .......................................+...#^..6..+..J...!.U.8!.^.x..w...cEWH....s.N....h...yl..).....)5..."98.T...........U...@.F.xe~.{.Y.xt.|..m.h..b.V._J5....A...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....O.......PADPADP..J..g...w..$Y!...,.../..,a..Ht.n....y.......I.U.)t....K...... ...z.$...l.&..d.........

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Snap.v19.2.Core.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):29976
            Entropy (8bit):5.551185230890267
            Encrypted:false
            SSDEEP:192:Xiqhk/G1mj0EzDSe0uSIQu4YU/58SWpw0v4fm9c/etMAeJjJNypySPLPstKtUrnX:Xjq/JKV5+a3niEWj2UMKBeIWDgf2hf
            MD5:5624BB02AA394A245DCB3D594D6EF288
            SHA1:7CFB47A49046C516137917C995CF36B96D762104
            SHA-256:33DABB11E29D0A7915D961F360A8B49663D0F394914675F1B5FC3050F2DFB9F7
            SHA-512:D39B281F5E31F38446ECB6C20BC396AFEB00FD773AA5AC0BBDA6FC9DD83A53D6BEDF03FBCC115C7BF2C9B644D13726DAE6FFDFA3B51BFAB968F2328297851E6D
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|^...........!.....P...........n... ........... ....................................@..................................n..W....................Z............................................................... ............... ..H............text....N... ...P.................. ..`.rsrc................R..............@..@.reloc...............X..............@..B.................n......H.......Dj..P............ ..tI..P .........................................w..5o_&o.Y...gW.G..Y.+.4..."W0....r../.w.qy....u....eQm"[E.:8.@.c.,gr..#..UL#'.DO....k..X..*.tuw`....6mp...7.8..d..v..pI.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP....B)..#...7...1.8.H.....N.^c........8..P...pC..[h.....Rt.....{..Ju..J..8D.........!A...E...<.

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Sparkline.v19.2.Core.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):12056
            Entropy (8bit):6.278179393007552
            Encrypted:false
            SSDEEP:192:AB+Y0q4AnJOAphW7QzEB/7qFA8da9sgfxIZHHNG:JY0AnJOAphW7QzEBeuIDgf2hHk
            MD5:CF7A9B29D6FC11BE6C40F4375A0F2CEC
            SHA1:DF0316E8CDB805AD0A36A033598D313502BAE862
            SHA-256:FA9557104F01CDFA34D793EBE789B3C0D527C05264902F70AEA4D1DDECCECC2D
            SHA-512:7BED8978B5A46A10731B5C7870D7A80125B7906848E632ACE392B86988BF284D733CBE6C6D1A855962879B3C3F1C08F73712FF199A7CBFB47CBFCE2F006FB1D5
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|^...........!................^)... ...@....... ....................................@..................................)..S....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@)......H........$............... ......P .............................................$.]....O....!h.l.k.2.Y..G.Zq..Lt.{|@.....n.f..H..P>'N.e.%!f.9.|..'C.I._..b.H..h.KKq\xoO ...T1Gc..,....5.t%..Y....................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPEi..F..:.kp.......9...u...4S.p.a.r.k.l.i.n.e.S.t.r.i.n.g.I.d...v.i.e.w.A.r.e.a.....2S.p.a.r.k.l.i.

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Spreadsheet.v19.2.Core.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):606488
            Entropy (8bit):5.108823602787267
            Encrypted:false
            SSDEEP:6144:XWt+V0mfsV7+pYZSQiu30KKCVLxnNaaagv:Xm+V0wu30KKCE6
            MD5:0C026882888F60F78F7697AC0FC33FFB
            SHA1:F12C79ECB786A53B60C1CD1DF08D993F3F19E71E
            SHA-256:EE0E06261075899AC5603F20FF1EE8177644082906C7B1C7C4E8266F3DB6492F
            SHA-512:CE00EB83C969E9DE700E9B6DB7DCA1511F80D1012EF28B0BEF21355B53ED0D02488E49C04F25C7023875BC27DD581F4E65B25AFBF2DC81A0FCB2D49A48CDE160
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.|^...........!.................;... ...@....... ....................................@.................................`;..K....@..p............&.......`....................................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`.......$..............@..B.................;......H.......T5............... ......P ..........................................@......Y:...2.C......1;..2..Y<.. ^x..Dp.1......3..T...bDo.I.v..D..oM[..._.+.j%.........c.h.........MZ.gyg...'.{m...p................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP....u..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, Pu

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Charts.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):13592
            Entropy (8bit):6.302711681511138
            Encrypted:false
            SSDEEP:192:gylwHe17DTueShlnO/oZ4SexXXV/B/7qFDn1a9sgfxIZH1l:gz4XnV/Bep1Dgf2h1l
            MD5:4B8D02640E922B9B77A7AB5087219C52
            SHA1:AC68445599478505CA8DF940345D9E2134017EB5
            SHA-256:01307AF3B01B573B0E7BFE42DABE10961FEDC269F381EE2159C12EA97657C10C
            SHA-512:C7B00C07A44ED6A023A32571BAEFC4A927DAE7DF74F694DE7CBEF832FB2FB0E2AA2306DCE535F3D5442E4F703EE0B7CD8B2A4281EEFF5736147908DB75A4BE56
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.|^...........!................./... ...@....... ....................................@.................................p/..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......$+..L............ ..Q...P .......................................tk...G&|........;~ e.pd....e.'.B..'........$.)....g..qB/.i..h....F...2.x<..%f{%L...I=.W.X.....o!..Z..R|.."..TM.s.....FVM..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPmag.....1....F..I......p...9..... ..=$zM.,GW.1..+?g.bL...^if.j..q/...........................U...

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Controls.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):12056
            Entropy (8bit):6.199660172332929
            Encrypted:false
            SSDEEP:192:oEWXZ88eDA7oyBkH7JB/7qF/Xka9sgfxIZH5:VWXZ8moekH1BeiDgf2h5
            MD5:980F486677578F6132A2372E821C54E6
            SHA1:773DEDAAA83EBB5C755DC5EE90C36514FE7748DF
            SHA-256:FD70BD92179CF8663E4F2C4C8FB8F84E24AB0AAEC818E1B81194B6555311B986
            SHA-512:FC2FC3D9AF493CF1E9F80B40783B9AFB6A1FD9A6D83852C85BE768C0B78BAB0A88FDF8BD7AE5F75018AD8E10A860A04FCD132BE2A9DF7D29D7BF3BA135B4E57C
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S.|^...........!.................(... ...@....... ....................................@..................................(..W....@..P....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......@$..D............ ..n...P .........................................Oj%.F.L..`..}......)..y.....pb....M...i..JU..~.1b}E..c....B......WO>i..E.......9.m..yi+f....-..H..k...'...v.-j..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP...`.}.....7.=,.p..kug...........+...........j.......bN.a.v.i.g.a.t.i.o.n.S.t.r.i.n.g.I.d...C

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Core.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):136472
            Entropy (8bit):5.01643392816195
            Encrypted:false
            SSDEEP:1536:dsHS4MTC+H7SE9VgL8l3Jt///ebo/r3dTmRfY9KUUfB:d0xMdH7SE9Vh3Jt/Xao/r3dTmRAMB
            MD5:92349D0DF19B47A3B95AC9F3471021BA
            SHA1:968DABF866A1D6CE291ABA16FCF9E47A12C3E1A0
            SHA-256:449FF59EEF8C974D3AE419CCA46DB29321172FEF422A017D8A731299DA9699C2
            SHA-512:65BCA83E29F78F4AC8FC4D84E2E6471848403F8C8E6538D8A33EE90BFD145F59F8C0C0505C0C5B14C50EB70B0A1293663108E6AD8A3883FAED0FB6A400D284EE
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|^...........!..................... ... ....... .......................`............@.................................h...S.... ..0....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........................ ......P .......................................8n.2....p..P67......9w^j..a*.4df.!..........SEU.k.o..oPL....J.tM.....|..|g.U..J.^A^.B...|....UW.,....S.^K$k;t.K!...+...8...i12..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....8.......PADPADP...x.{.-w...=(..v..a1..Pr....."I...).%Z*......2....+H...h........v...=e.......P...B...b..

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Docking.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):26904
            Entropy (8bit):5.706339651939133
            Encrypted:false
            SSDEEP:768:1P2sYuEu16YPMm8+iJQ9Mn0s5o2RUf2hZ6:1+fuEX5JQ9Mn0IouUfO6
            MD5:93C952B225DC95E3CCF2BE6F7E2DC4DA
            SHA1:01A7306671C9D01A139C4CC76FDE8241E2E5B108
            SHA-256:C677200D9B7AF266307D330D7CEE2F6E0C2592165BA6E606D509C2A99D120E3F
            SHA-512:5ECD1599BC865FF687E1DCB0845DC6910627A511B4294597E53674D0F2D6BBAA9FAC7ACBB995BD7D5615827AE0BDCF0FAE6E6238D9F4C6E28F064FDA2D1366C0
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...).|^...........!.....D..........^b... ........... ....................................@..................................b..W....................N............................................................... ............... ..H............text...dB... ...D.................. ..`.rsrc................F..............@..@.reloc...............L..............@..B................@b......H........]..d............ ...<..P ......................................V......I..b.9C.....5N<7.Wh.77..$S<.n.s....F..m.......0~.=..B....c.o./7H*.7;.t."7N.c.P..,.yL.t.}..~.e|.v]..)*.:..J.?D.>i.8..<.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.]h......V>.....}r......V(.4.k...y.Y.>..O..4..|]..h.|<h......5.Ut..5......&.r...%.{.N..[.

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.DocumentViewer.v19.2.Core.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):17688
            Entropy (8bit):5.80194958575095
            Encrypted:false
            SSDEEP:192:kPdKiIEFetcQUJ29rnKCVIwB/7qF7ga9sgfxIZH5TI:kP7gtmSKCVIwBeqDgf2hhI
            MD5:1C4BFB1E7C137DCC3F0D9E5128DC4834
            SHA1:712D8064A677A0F558E7D377F2DE8111BAD5F852
            SHA-256:8244489249F7784EFAA71DA6296D4039BA2C3A70E6E5FF2C3210B6CF603DF2F5
            SHA-512:A75278AFB7BA500BF56C1A9C96B39B22404146DFF5907EBC07240C71ACAA1557814AA26F5E9084997B15FD7F82D91016A43952A313649528FB44635E86C3B11C
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B.|^...........!..... ..........^>... ...@....... ....................................@..................................>..W....@...............*.......`....................................................... ............... ..H............text...d.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B................@>......H.......x9............... ......P ............................................N...yp.h.Lk@.wgZ..Q....I....6.@.`4.. i ...O.4.7.^M......0.?!...%.s...|..q...~..|.;...|....1..<...Tf.............5..................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....2.......PADPADP...._.........j..........4..."./d...]...4.p./..x.j.....-.6.6..f...Xu..@..W.... ......dx.....

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Grid.v19.2.Core.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):37656
            Entropy (8bit):5.2213556641952845
            Encrypted:false
            SSDEEP:768:qe/4KpcCdhSpzg/yIsyQFXO0LRUdFJDcFT4PkMftoDxU48ahk9VIKUf2hK:qm948ahkvIKUfh
            MD5:F05F861657FAEBCC9714FCA6CC93F2F9
            SHA1:53709B6176E78AFB5FA90310474F7AB9E2A7B66D
            SHA-256:AD27D074A9355B2EBC4F01A30E117FA4DC5C1C127E9226FB81ED2F0CC47CA567
            SHA-512:C597EC6FD3DA7E863851778D2426D4BB70C6488C4381C461DDEFB8DA6EC0C74D6826F5BE492D9166638FDDC29BD27FFF6E3BDAB826D130C530A013FC00CC427A
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...).|^...........!.....n.............. ........... ....................................@.....................................S.......`............x............................................................... ............... ..H............text....l... ...n.................. ..`.rsrc...`............p..............@..@.reloc...............v..............@..B.......................H.......P...H............ ..}g..P ........................................j.......d...W.-E..e....q]2y0....b..v.....X#.+.d4.gw6*..1..j.Y..p.&Oj..F%.._<{5..3. =Pymx..^.f'.f|LR.....qO'....".H...+layg.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..G.L`...,..@f.............9......i.]..s.t..J.FQ...-.........$A..S..;..y....}......ne..pf..

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.LayoutControl.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):12056
            Entropy (8bit):6.278978281776262
            Encrypted:false
            SSDEEP:192:KSLaTLaMLaLLayLa6JJ+kkiB/7qF20a9sgfxIZHXnS:KS+T+M+L+y+WckkiBeJDgf2hXS
            MD5:ADBE7779F1B0C36C17E681E974624F9C
            SHA1:1340F665ED9862D11C7C577A5404CA8F3ECAE717
            SHA-256:E3032DEF1A8A2583C74AAD86416D1F7C51ACEBF23634B24CF3E3DE2622EDE27B
            SHA-512:BA4A49377100881AFA355346D0210BBEFED837BF769B6686AAD65B9F4BA8BD5951C3514A48FBD4796C7746082A75093E9FED2010D65571F43B28E815FFE87D6A
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+.|^...........!................~)... ...@....... ....................................@.................................$)..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H........$..X............ ......P ........................................#D.].a.,i.Re....\..[E...Qb8B.Y......B.6.E.M...../..A.......<.n.4K..`u.AO...3...*...y. .s.`.(.+....d.t.J.N......Q.5.=...................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..*.....3.j..*.&.+.*c[.L.$`O...}........Y...................R...T...TL.a.y.o.u.t.C.o.n.t.r.o.l._.C.u

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.NavBar.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):12056
            Entropy (8bit):6.290305413353476
            Encrypted:false
            SSDEEP:96:i2f3U8lMoV/1inlt1trflvWGDwTDzKgmB30azYoB6hbWCIrxb8bwRa9aH2n/lVxJ:588lMoKnv/ksB/7qFaVja9sgfxIZHIgk
            MD5:5CCECFD129524277AF324051F52C4FA6
            SHA1:F4C0C4D3FF5A504111DAC16B8019D2F071B5B02C
            SHA-256:96FA7B1FB5571812EC7C5AD073010BADC736FCE9D389ACA359E5C8C60CC83F42
            SHA-512:0342DA944E72482C64234A3127FF7B8D2AB5ECAF8553A653CA2F7C8D199477BE4032F3203D7219DE785CB32DDB9D0F70A7B7BF2865A796D1959B9004A7D0CB23
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.|^...........!.................)... ...@....... ....................................@..................................(..O....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........$..D............ ......P ......................................CA*..X...9......@. )..x.<}........O+vt8..7.?.^).......p.E...W..z.W.Y.[.-..M._.p..!$.M...A.........Vv.*..}...3..1.3O....y................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.]...y..*.+.xt...9.........y.......G.......tN.a.v.B.a.r.S.t.r.i.n.g.I.d...G.r.o.u.p.I.s.A.l.r.e.a.d

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.PdfViewer.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):21272
            Entropy (8bit):5.6937289137412606
            Encrypted:false
            SSDEEP:192:95F/e2pz4GwTPhtPYqNXzsaicB/7qFND+2va9sgfxIZHvGe:zFqGwTJt5FYaicBefjvDgf2hvf
            MD5:7C13C85F5C5978489D8A7562821DE648
            SHA1:3A04211DAE57AF5814EEDD83D57108463EF22BA5
            SHA-256:D924FD82CCA67FE1FB05581160E4FAC2406127724EF39CC71B031B861C2C7D68
            SHA-512:DEC98187958C42409DF2B495444AF71B010F4FFC97EE36F2429B29E1EDC96B9139DF522DD6B78D04B7AB1E6422B75EF7DBE13A627292F78DFC9C966D6387CCCD
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|^...........!.................K... ...`....... ....................................@..................................K..S....`...............8............................................................... ............... ..H............text....,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..B.................K......H.......PG..X............ ...&..P ........................................`.;.m.~7...-.ew<Gd......+.$p.x....(....O....T....i..JL.....k........P..d{."....Vz'..L.w..'O....0..5W......=.9.Y.g..r!....4|&.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....P.......PADPADP..s..~..P1......5..........IO..u.r.......F........:.\......M~........4+.....E......|.

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Printing.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):47896
            Entropy (8bit):5.4364075778998755
            Encrypted:false
            SSDEEP:384:m519YkF70RIB5ySeDDAZr/kB4KB3SptNCx31s2h9Bl3/EBe0Dgf2hC:I8kF2IfyeVkLB3SPub7Z0Uf2hC
            MD5:39EEC713B7442EACEDC0164B27A1F19A
            SHA1:4C9916D94DF89205EE42EC88587F9E265BBDDD92
            SHA-256:63528232C4755FF60CC5AD3E0C347D8D36EBF79F4398FDFD83FC9C1426F74915
            SHA-512:65ACD49CDFB98FBFAC801335CF752F93E86DB7F60AC1805D9CB01512214356D396C8C1848192C8FEA300AFBC6D9A5C8B2C81B9A11DDC73AA42287967E20DF0DC
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q.|^...........!..................... ........... ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........d............ ..3...P .........................................V...c...8m,E~..?.]g.6.[g.99mb.HY..T.T...(lm3n..4.........*.....O....~.g]2...i].D.E.Cy.S...",.g+.B4S....q..$Fdk.0.H...2ZI/..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....@.......PADPADP.P.Z..6!..n1,..0d.....:......Z..+Q....>.n.~...=(..d.........y......>..6<5.7<5.8<5.9<5.:<5.;<5.

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Ribbon.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):19224
            Entropy (8bit):5.734676911557785
            Encrypted:false
            SSDEEP:384:g0TQBSHjBF/IT7TSYE2cJYPCm/xbT+nj3U3enSia10nZ2npNPBeUDgf2hwE:gsQBSHjBF/IT7TSYE2cJYPCm/xbT+njY
            MD5:E40872C21187D688F245889B9EE2D7F4
            SHA1:5EA247C09AAD9FA100B11E9D76C579E5AE5D6E2E
            SHA-256:C5EDEEACC985CDB8AAB01CF16BFC082B9D64C1C569E004B92A6E604200CC14E6
            SHA-512:E678C8A45E7740D9D82AF75CB8F5756FAFA226A66A4CF97177B4B9B5ED276A11A6AAA3EB9D5C5E2B79B106CBB3EAAEF9DACFFF8D8ACBB29832A854087617B01A
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.|^...........!.....&...........D... ...`....... ....................................@.................................lD..O....`...............0............................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H........@..T............ ..H...P .......................................c.....H.C.5.'%n.%.....G%+ya.Bz.tk..0B........j.U:.7..^Xx.......v."...5.....R>Q..#....i....?.ki....j..k;........T.5"8zB..D..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....).......PADPADP$N..qG...i.Q+".4...BpJ.Tw...7D..J.....m...<...K..............ws&...'..a-.....h...../..4...<

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpf.Spreadsheet.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):52504
            Entropy (8bit):4.894558545521431
            Encrypted:false
            SSDEEP:768:orWe/V/5riwG1/8/UhXwqlPqarUj51r14vJukCPm6hdg5bng+UAvygg95xbOco9F:iA2Pm6hdg5bng+UAvygg95ho91UfS
            MD5:C8D170231433160E0B540AA0BFB451CB
            SHA1:40CACAF5CCE0AF8131D6965F092972327F236056
            SHA-256:BF8EB97DBA1706A2AD4052C05C8751EEE6DD8EA27C14694677E5B8253C06C0C6
            SHA-512:F4B0EC1B437E8FD408EFC8C22CDA1A64ED52461EE8E5F868E8E206EA6C8736BB61F5457DFBC681B874E8725B287A2F3DDC8E8D093E27ABFB39D65938C87DF5DC
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|^...........!................n.... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H...........d............ .....P .......................................K...........`.o&6hJH...2..Q..|..1.. .N.#.p.^bK..XnpL@\y{...,?...mZ.....X....0..p.~..c.i.x.q.........3V ...".........S..[..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.s].Dn.......X..gp.$....J{....S.~..1W..X..............M...d...S...p.....mq.......-../.*.T.1...Z.

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.Xpo.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):51480
            Entropy (8bit):5.8741847682652555
            Encrypted:false
            SSDEEP:768:kAH7yCF4SFLHg/83aEQJx+Yt1M13zx0M3lhvfkabglJInOPD0qKSrxUf2hcn:kgF4SBKw0M2HrxUfnn
            MD5:9F109BECE045C9516B42465FD3C888FB
            SHA1:3FCF012FA12B5E238291B227FFC0C01F7AA1F0CA
            SHA-256:3A5D3B997C7A7F42370A7E3C0615229F135FC759CEA6DBA8D8DA86470E2A857D
            SHA-512:5CD9971F7B4D07C2963F718418C89BF5A066F19C18B077330425A075484BBCA452B280A2791CBB6AAC9FDC85D1459356974FA176468AF476EFA32C04D2D16693
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|^...........!..................... ........... ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........8............ ......P .......................................,.t7..w...6........(.Ejiy......C@...#..u.4.Cx...+..`+........=R..,9.9...w{6.*.Dz.^.f.+.h........H*.....AZ.yVi.<.i.Y.._..................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPR.....'..R.pd......d.......3.=...........S.@..n..UU..3{..0..' .......d...gF..-....e.:..Uy.

            C:\Program Files\Rigaku\SureDI\ja\DevExpress.XtraCharts.v19.2.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):315160
            Entropy (8bit):5.089637678751727
            Encrypted:false
            SSDEEP:3072:zKewfJJVUaEqbAnMa0pkMa5jSx5VcBkFho8bY4uGES:zJxuAnxMapSbVcBkFhNY4uQ
            MD5:CD2170A2A7DB72716ED77EB886439D4C
            SHA1:9F546FE6EED3F6DD38724EABA5E92C371CEBBC3B
            SHA-256:645D9BA5606F1954362C4424BBAA9F209E6F7211C4F0D62662217EBC37A25F39
            SHA-512:82FDB524D0C97CDC49B771A3339CC38F3FC325F3CD5F4A0772556BED52296769D89D2B103EECE90046A0B734865D8CC2BD54E74566750D7C9D521947DAD0BB8D
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|^...........!..................... ........... ....................... ............@.....................................K.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......D................ ..r...P .......................................'....'......+.j(..n..mg...J...S...../.T.;....v}"....|x*.h....v.Bc2..F.,..H...)z..B?-q}.*.(3.A7..K...H.i...s...J...q....L.Oi.@.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.%..4.<..F>...g..".>G.47...e...q.f...M.".h.8..yS......<.....b.....N.....w.....6.'...#...'..

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Materials.v2.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):5632
            Entropy (8bit):4.249566735379632
            Encrypted:false
            SSDEEP:96:yEFEy54GfyT2N4gppoLKqSGrJxlxyzKV:yag2NNppqKIJxGg
            MD5:E5167444829D0543218521DF9F1F4F2C
            SHA1:7AAA4433169103DEF3FCA7521E4DA4D000C2C159
            SHA-256:F591A58590070F660A1D98582409DC54AF460CE6BB50279A8BDFBC82DD30CB86
            SHA-512:80FD16728333EF269A47E677EF94039C162016374707C75170A4E54B7DA721BC9289F033AC4B69911295BFA8632C10EDE4FABEF8E6870C07D255DA273CFE717A
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................,... ...@....... ....................................@..................................+..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........(..............P ..x...........................................t..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPc...L}v..!.D}z.m$t...b.E...8U..[Z..07x...] ..1R?C>+..E..>L.+S,..Y.0yZ.e.`...i...m.1.v./.|........'...N.......v...#.......5...............................p...D.......[...5...t.......U..."C.o.r.r.u.p.t.e.d.M.a.t.e.r.i.a.l.....J

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.MathA.v2.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):10240
            Entropy (8bit):5.000181980268873
            Encrypted:false
            SSDEEP:96:muxtrBzK5ZxwRfU5tmI0xN8ZYnjjXMBeZkf2zTeGa/YxM9Y2/wikioGDy6YSwXul:muBz6wpbk+PXwFGa/N3DyfBedddbLJJ
            MD5:35A333516648BC985EB8E39E65655EBD
            SHA1:5C7224B10AC72F5A648941EA9E561C95F48F5677
            SHA-256:8815B9422CC54890B02EC178F580BB306FDCF9115F948626CA4615984391F14F
            SHA-512:E81F0C629F846500CF6DB15743EFF2AFF367AE3A7735D29CC8100FB2FCEF6DC3DB7CDA85D4BA5D35016757786113E782822E28AC9F86B02D6C100ABDFC8837F1
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!..... ...........?... ...@....... ....................................@..................................>..K....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......&..............@..B.................>......H........;..............P ..m...........................................i..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....@.......PADPADP.O+.....Y$.q.$..v..".....q.......V.y.......b.W.aq2.,Z3.#.p.XV..U/\.]....Z.a.....,..y........Hf9....r.K..0..z..T=..e......................7....W....+..l..=..!.($..!+...,.)s/i../.%0..e2...36..5j'<6.$7<.:vD..wJ%f.M.?>U

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.Sample.v2.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):5120
            Entropy (8bit):4.333756492230925
            Encrypted:false
            SSDEEP:96:GXHz54gsGddcmYsM3HgMF1ZNaNl6eyuUq2DH3KHH:GXl4gsGYmYsM3HglALuQ34
            MD5:8C44ADD5B462D14588B004EE100E89D0
            SHA1:9010667B87975FF9C6D70FDB95A1C7D16FEE760E
            SHA-256:B39FA30422E1A84EB8B4B5693BA9ADEA7699E80117392C6A2E00B8173A6D8B25
            SHA-512:9E3EF3D75A786BC4369AEB34B239086D8A0774630D63EE6D9D0FE7CF69B3B1379677BC62192406719114ED8D7BE94F5629E1FF0D8FD09BCF1A3CA46BDC6D8658
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................+... ...@....... ....................................@.................................4+..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p+......H.......0(..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP."B.'0..<..|..RH......@1.W....z..{....{..N-Z..E.#....j....PP...[...g....%...W...............7.......V...........v......./.......j........... ...*A.r.g.u.m.e.n.t.I.s.N.o.t.M.a.t.e.r.i.a.l.....6C.u.s.t.o.m.F.o.r.m.u.l.a.N.o.t.

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.StressModule.v1.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):8704
            Entropy (8bit):4.615338427905745
            Encrypted:false
            SSDEEP:192:LNrh3P4YWWHXAlf8JUQjHnkepLLOnCt2my6rU6:LNrhgSQeXHZ5xrr
            MD5:E4BDE3944BD7954EF1187DEA4212817B
            SHA1:3D4559CFBAC81DFC761EBAEE3A5E776C6D7766A3
            SHA-256:628052F389E52F47B41543A0248D88BF9EE489A3A7644DB850C397217FC236AE
            SHA-512:F8AC9EE53BEC18775D83A81C97D2A16CBBF2C177E73B8A925E7886DFBB9E20F87F9F4EAB88A100A8EDFAF01E1197C7B5DD202FD95E200F47797C0BDA1C7CC6E3
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................6... ...@....... ....................................@.................................X6..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................6......H.......@3..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....".......PADPADP.....Q.V....]o.Y....3..K...\J[.e.E.....U.J.....Tt..e[.......z...d......52HU.9...<..j@...C.F.G.0.N...O8..Q.^.S.MmXg.ZZ0`.g."'o.i&yW..y....................@...............=...X.......}..._...........}...p...a...7...............

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.SystemExtensions.v2.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):15872
            Entropy (8bit):5.209440800539675
            Encrypted:false
            SSDEEP:384:LuYUR55kRXy79UyKUbR+FRmTXq4NBHqJqDZpwet:ERLhEUbRka64F3w2
            MD5:598E1DD6A76C0280F57BFE710FF65021
            SHA1:EEC8A28F7CA1C1B76C98D2EEF07F44196F6FBDA7
            SHA-256:3CF22B88C95EEC3ADCB8FD9ECE4A114D90D24AAF4B0C8A57FD29CC4B155C0BCB
            SHA-512:FF208A6660A06260B4D858FC66B2C59ACA36AB54D6E811EE5F1B2A9A37D795B85927424B183BA6EF02B657B5034312055DC68A2F512F5690F839296A72D66274
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.....4..........~S... ...`....... ....................................@.................................,S..O....`..8............................................................................ ............... ..H............text....3... ...4.................. ..`.rsrc...8....`.......6..............@..@.reloc...............<..............@..B................`S......H........P..$...........P .../.........................................../.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....i.......PADPADPg(.../.../.r....g..<..Gc.6 ..g.....o..q..a....^......@.6....XO...}..f...d].$.........................by...;..^Hx..j..@....-...K...lQ.`.&..S.. ...."...5...VY..I`..F...O..%....n.....g....'...Q..p.....n.[...6C..Tv..

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.TextureModule.v1.1.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):4096
            Entropy (8bit):2.9335009538761447
            Encrypted:false
            SSDEEP:48:6n+H14E0l4oEZMFk/u0lyQ8oET9zlcCpUJbQCpUkwWK:tl0l4bZNyMgz6C61QC67
            MD5:FAB586FBE15CA4DEBF0C6BA04E33A836
            SHA1:076D404271A907ADD86A252ECF0C79B2594CCE33
            SHA-256:DB107CDBC3E6872A02488754C66BD7A8726D0BEB0DAABA31FC0ED5148B273A47
            SHA-512:745ADBFC40CA8E42165D4768572D824B4441909FC594315762277BFE81F721A407164F9EB892BAAA61854463ED51D23DF353958B9C8A6778E5D4F6244FEB2994
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!................~$... ...@....... ....................................@.................................$$..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`$......H........!..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP....BSJB............v4.0.30319......l.......#~..P...L...#Strings............#US.........#GUID.......h...#Blob.....................%3................................................Q.?...n.?.....?.....?.....?.................h...

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.APF.XrayPhysics.v2.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):7168
            Entropy (8bit):4.239307377174926
            Encrypted:false
            SSDEEP:192:P9+pJZ0cNpFCaF0Ul/3Lj/0lH/7cG6hkwczP2:P+jNSaF0Ul/3axb2
            MD5:EB099F0D051988B9BE28F879186FAFF7
            SHA1:E4435E94FD8272AFA39923701C802F38550D75BD
            SHA-256:A6B6D05B2A0060E3BC25C526E4B44A3E8E8CF84CCCD265653A652740BDFF93FB
            SHA-512:CFEED49A9A7280B0056F30ECB8A3ED50A897AD978DDBF054CC736C16B7775F4C34E5C9CB781D92109F71359D54CC6B04462DC2227DA10B659C8A745BEA6A1AE7
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................0... ...@....... ....................................@................................../..K....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H........,..............P ..y...........................................u..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.k;.R...fa..)."..'..;...sM..........:.........!.H.c..... ...u......$.|Ele.a...a.l.k.6.n.+.r].Nw................................\...........v...)...;...........G...........c.......I...z...5...f...0D.a.t.a.A.r.r.a.y.s.N.o.t.I.n.i

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.ApplicationShell.Shell.Infrastructure.v4.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):10240
            Entropy (8bit):4.979757218480132
            Encrypted:false
            SSDEEP:192:Ki4mOvAfttFOGzB+1Y3uRuluTsMrHr7VXy9TVu1i:KBmOwtXOkM+epY98k
            MD5:279CC6C137E098DC381FE1F96A1D29DA
            SHA1:5369F89F91F05AD871301534817FC987B959D7F6
            SHA-256:7630A41B0D2FD2A92AA9BF401C2BDABC3677E256620BB9B064EA383E665A4F26
            SHA-512:E3C202673AAC13CD33FFD3078D75FED8E04BC196189D323CADD367F43D3186534D38F5C9BA734D29B40AD2D6235CB80434883A583399ADA12B341FBE01331287
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................=... ...@....... ....................................@..................................<..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B.................<......H.......d9..T...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....h.......PADPADP..G......:>...t.=.x.!...K.V..Ct..x..Z.@...........6..g..,l...N......U~...Z..q..q. ...v.D.F..^......x...nv..v.._O7...]...O.............t............r'...$.. ...L..-....3..hb...../.!..Iv.Z\......z.2.\&*........U.?...

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Editors.v2.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):5632
            Entropy (8bit):4.3960991797858675
            Encrypted:false
            SSDEEP:96:eE+EuyUIoyxMt6sW1ZofFliZyTTQNuz+P:eEV1UIoyxMslaFkc7
            MD5:BC39A5CA9EEC6639E0CC77B3C0A5AF73
            SHA1:AC35DD56F4B65749204217FE0C2CA9C2E05342E3
            SHA-256:E005267F07742E5BD1445DECB35FEE7D16D633C4E1A94CC65C292EBBCA14B4B9
            SHA-512:4FDF1CB126466B97CB2FCD9092ED303AD549C70283A08174A4B1A405FC09F56DBD36EF65BFCB83D04F01F62ECE432B9E037E7136CCE4A758419D2F74085F8391
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................-... ...@....... ....................................@..................................,..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........)..............P ..f...........................................b..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..&......@Q.AQ.CQ....Od..../.gW.!.d.#.....u..,..Iv...;|...b....)**\.. hM.k.T..S`J>.a..abI0xmU..n...u.t~|=C.|.^.|........Q...;...*...L.......................................]...1...d...n...C...&...v...T...............

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Interface.v2.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):4096
            Entropy (8bit):2.8707814042806663
            Encrypted:false
            SSDEEP:48:6GQNH14FlMU83Cy/UfMV4Dv4lsjWJQjlw5U:gNqlM/Cy/IMir4mIQm
            MD5:A5F5F231E25D1187144FB9BBD3AAD57D
            SHA1:707DB543A3D8996A88C592D6FFF96E969A2F6C27
            SHA-256:ABA0381CB6F38033261C018CDD62AD58E08CFE8AAC4A1648165C3047E07F8BD1
            SHA-512:21F0577AE0AB7C71DE46182E4FE2E98A473AD3F046F8EA83827B5B05E4A9DF563B1C3A4424D74D0217C803D10780A47F2236FD6FF830E563DADFE4408A3011BB
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!................^$... ...@....... ....................................@..................................$..K....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@$......H........!..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP....BSJB............v4.0.30319......l.......#~..P...<...#Strings............#US.........#GUID.......d...#Blob.....................%3................................................O.=...l.=.....=.....=.....=.................f...

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Layers.v2.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):3584
            Entropy (8bit):3.4142926714353097
            Encrypted:false
            SSDEEP:48:6EQmAyHJTixlu50a3youVCXNNlnjOal6EU:gypmlI3y0dNdyaA
            MD5:4C71B2D9FE816ABF1BB594DEF7A4BA25
            SHA1:88C18C4550EEDE5CD82E3023D9854BDBF21DC97D
            SHA-256:A8B98B55081B57EF190FD21D3CC6F334C0A25CF31C097FF9CFD3C306509E55F7
            SHA-512:74AB0B3CAD94F88E667E5A307AD82EAEA9E8E760EAD8213C0AE215D30678DDAF6E6A05FC50CCD8976A06E89378F52C340F4AE8093998924537F9FB443BFE0FA5
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................$... ...@....... ....................................@..................................$..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H........!..............P ..P...........................................L..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP....qrH...$./{w$.......7............A.p.p.l.y......F.i.t._.A.r.e.a......U.n.k.n.o.w.n......V.a.l.u.e._._.(..................Unknown...:BSJB............v4.0.30319......l.......#~..P...4...#Strings............

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Other.v2.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):3584
            Entropy (8bit):3.526377874629623
            Encrypted:false
            SSDEEP:48:6pNHHwM8hItWErCplJoRhcUylr31FiMzlIlLXUc:4I9EmlgGUyf4Ogl
            MD5:B2EB74303664D19BCC6C9E53E99A92FE
            SHA1:408ACA818758A5D8CFD738DFAF4A50E6B6DF52D4
            SHA-256:44F03A3C33CD299DCBC6D5D5C77F1160764B1468F7988090577FF457F0B67FAB
            SHA-512:3F86E07F6D9363128FE113C72CF351C80B3CF3A272A97362D6A5A5F9E7D202B906E9BEF92DCD70496D6778657C85B96BD67C67B5DE91E7318B023758E60FAA6B
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!................N%... ...@....... ....................................@..................................$..O....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0%......H........"..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP...}:I.c..Hd.....6...#.......z...c...k....C.o.p.y.T.o.C.l.i.p.b.o.a.r.d......S.h.o.w.X.P.S.....(X.P.S.R.e.p.o.r.t.D.i.a.l.o.g.T.i.t.l.e......Z.o.o.m.M.i.n.u.s.*....Z.o.o.m.P.l.u.s.7..........XPS.....XPS....

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.Utils.v2.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):14848
            Entropy (8bit):5.251452139783751
            Encrypted:false
            SSDEEP:384:SS/oJ3QGvzV8UQordxcG1qpSVXs6ogyE9ty7oiydIZZOlTKwgd:hi3pL1qpD6Q
            MD5:21C04F5BE3FE016D5C59E0F2E32E8B30
            SHA1:321DE07D3E80AF3313BCBBF6F99D09B6FC5378CA
            SHA-256:2B1AE2DC6056FE75777572C09DB741B05B832277E277A3B966D4F32F8905F795
            SHA-512:5FF0E49ED4EE8A402865C3A5A1D2645B326CD2DBD5EE0083157FC95F2ADB5643DF955131F6CFC7DD159B34D2DD83BEFB43049B47D85DE95A8900A64828E45928
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.....2..........^P... ...`....... ....................................@..................................P..K....`............................................................................... ............... ..H............text...d0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B................@P......H........M..............P ...,...........................................,.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.n..P.....G....d...O..........Y..&.....f.M.p.}. .....@Q.AQ.CQ.KQ.........O...................F.J1...,..c...e...V....F..y...a....a.EiF......&.D.F.[.P.../...2.(b.x.#.gW.R.v.!.d..h.&.......d..q...

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Chart.v2.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):7680
            Entropy (8bit):4.925750908726479
            Encrypted:false
            SSDEEP:192:3HY7PJewW0SQAKWB4crtItDAhN3itOWO:3H/0rAKWHrtckhkt1O
            MD5:B461A75BC7B15D6E84FA0179CE65E373
            SHA1:040C6212EF53D586058CB3D29CA84E4122075974
            SHA-256:1DC6DF8F796DF0BDFF17AC58592BA29C417A9CFC2233F0BC3D3EF638D8E01DF2
            SHA-512:F47B8258694A536C6A2DBCC540BC97502DC47589FDB801C91188AB95958EB97DDCD75863C0E543A72DF98EA29A158FACC3461D636E90CF627AE87C332DA464C9
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!................^5... ...@....... ....................................@..................................5..O....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@5......H.......,2..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....?.......PADPADP........:.<..x........c..9..W.d5...-..D.F.....2q..H..v...~......}:I.t..............x..*....Q.,..Hd......,....(.@I........^..(....Meq..*....D....Q...S...b........=....!..-1)..3.:r7..'9...:..YC.bcD...HB..P..e.@Ki

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.CustomDataDialog.v1.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):8192
            Entropy (8bit):4.622824689236434
            Encrypted:false
            SSDEEP:96:1EZ+WhiUlR7rx3uQCP4cIx8vsrywf9GSsaK+cqA+hiFTjDclXhy2v:WZ+E7d+QjeKywfXC+huTjDctUW
            MD5:AF0FABAA2C10A8000B426EE652465743
            SHA1:A36391BAFE7A8DF541B87BA088F33E3CEBCA9C07
            SHA-256:6F05CD94D68F521CE34AA1565F267561F0BB94AC5171EC597FD5A4E1806CFD23
            SHA-512:2206E41907EDECA1B117965DA19043ED173621B19AF86C800EBE009636E6EDB4188D81F3F99FC9E86F26906AB3F1240665280742E4B0235B156F5C34CDBE9067
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!................^5... ...@....... ....................................@..................................5..K....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@5......H........2..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....W.......PADPADP....".e..@..........[.q.b<..c<......%>.'>.)>..'...{..q...q...q....n..a..!...i..'..?.......O.....3.p.......5..0..<N.................RrY..rY..sY.btY..tY..tY..tY..tY..uY..uY..uY..I...I........<.......qdB.D.......i...K..

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.DBKeeperLogic.v4.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):9216
            Entropy (8bit):4.8274960671327065
            Encrypted:false
            SSDEEP:96:Faew/0/LOYkYaG5csldsC4rRX/r3gr8sW4dATFZyBOkY3YyYOxG5jzN5UF43ho1y:FaeoQldsCeYde4gF5xtMOvNTooXih
            MD5:8703AE861925856F58B81DBB84142A9C
            SHA1:5818838C951FFC95ADD5F833D4B44B8761BF9DDC
            SHA-256:8DDC091366A1FB24ED35624F1A7C5B8C1BFE22EFDF081E1B542030688F04D515
            SHA-512:F5DD9F48596EB8D82FFB49646206F7E3FD6A4307BDB2CF961481B27DBED0A001B6A68C20465412BAEF751CB75AA4F171AA7E3E86B4AB216E5A9D506C4895FE00
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................9... ...@....... ....................................@.................................<9..O....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......."..............@..B................p9......H.......@6..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....5.......PADPADP*Cc.O...G..-..+.I.~...Gj.k..)JL.'w......C...?.).....t.>..._....l......K...O.Z...u.......g...H...........7.._T../.......'......@V......C.J..x.%.N.&VSi1.9.8...<.u.=.d.>.Q.G&C.JM].M..N3.Va..Dbi..g.7.r.S.y................

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.DSCViewerControlLib.v1.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):9216
            Entropy (8bit):4.793899080969678
            Encrypted:false
            SSDEEP:192:/B0wek6az+s+c72nFVv3YA2EiBpwwMms:/BfnUFVv3YAXiH3s
            MD5:026F391490DE1388A73D2BF0962D4C78
            SHA1:3764795C86F62476A77FFB32791CEC011237AF46
            SHA-256:09D13A0E0A409CAEFD55A4AB004B68F58EFE44FCEE475B7878BFCF00666E6B14
            SHA-512:6A3EEA649E9002079D39AFC4B746E64A06215C908B63C77986D86FB0DE0D705060FF6A45C9E0EAD92D8BFCD15B9E1C20F029AFA3723E659F95EE101BDA051E88
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................9... ...@....... ....................................@.................................T9..W....@..0....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......."..............@..B.................9......H.......H6..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....l.......PADPADP.....G....=.Y.x...4U.|M..K...j.G...1.........a.......N.R._.c....5F..BJ...!.vcD.....W....<...f...&......U.;..Q._...O...:..,z...N.S.".2..tl....O.+r..o.+..........DK..i_v.l_v.n_v.o_v..........sY.asY...\...\.

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.DataBrowserDialog.v1.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):35328
            Entropy (8bit):5.545658600960711
            Encrypted:false
            SSDEEP:384:AfhwtMPcqvOyd1ge/96Bud9W7wWAPQgE1bR9uGZZTsSV10Md6zwJvhDvRx:8WyaydT9zaR93+SXjczwxjx
            MD5:A3A24AD055385598F76F7941088E6883
            SHA1:EC8093B3B25B6550FDF613BD16A65B31EE2A59C6
            SHA-256:CA48A72D512D8221B2C2AAF580AF60B9C4C13DF9143DB7A55136E4608AE65607
            SHA-512:89C29EC5119B35E785CDBD48DCD9DEC1F7BEFD866F8461D06E8B63E1C4E9D39487864AADD1EC421BD32888B02DAA37DC5D2119A5D9D53E3BF95B5E0F3C4E0449
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................... ........... ....................................@.................................t...W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......p...............P .. |...........................................|.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....n.......PADPADP.L....V..ta..}{.......#.c.....?.-$v.....\.....)...iM.d.............k.W.N...a({...B.u...:;..&..T<G......@...,.........qD.|M...R..7..Y...........z]....=e....G.[ .....Y....7...J...a..Q?.........1...e.X...y./..y..

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.DBBrowser.v1.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):30720
            Entropy (8bit):5.452108638830865
            Encrypted:false
            SSDEEP:384:TJqG0ZppgfmJ96axCrOzWYA3KRQhpfUfZFJupYrCK6lYJchMqPQeb:V3qX6AqpAXU6eTlYCm8Q8
            MD5:CD7C0B274DCE5E550CE7FEACD3ABE098
            SHA1:48496549D88E3709063ABF543F890EE9DB535A4C
            SHA-256:2D67EF89A68685FFCD4EF3F76D19DB0C6588B62AE8657CD5F9C3C2DE1423EAA3
            SHA-512:693EDBA9BCA0678094EBDA1197A299F9E9793208B68B096EE0B54596C935895B86E96EA5CF7BFB4889B41739FF57DA7FDB578296F53310CA4DE7401CEB077D0E
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.....n............... ........... ....................................@....................................W.......8............................................................................ ............... ..H............text...$l... ...n.................. ..`.rsrc...8............p..............@..@.reloc...............v..............@..B........................H.......................P ..gh..........................................ch.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....@.......PADPADP.L...ta..}{...#.c...-$v.....\.)...iM.....d...x..............k.W.N...a({...B.u...:;..&.......@...,.....qD.|M...R..7.........=e....G.[ .....Y...J...a..Q?.........1...e.X...y./..y............eE...............k..

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.UICommon.v1.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):8704
            Entropy (8bit):4.64337284114007
            Encrypted:false
            SSDEEP:96:9ai839GMpEOd1HYF6Fp6fpmRnbMLTqM7xHhYv1SZODF9WY0J8B0oAGCgk9H0lwGJ:QiGgM9tQcv1gORzIPoAGCgDuv0sp8
            MD5:45E0E4B1157D972186629D56359B679C
            SHA1:33F81F33457A49F76A50401F71451E96F2571A56
            SHA-256:44748898EE5B1F00C3877E950B05B555D0C4122E27F0A8012879B3AD9DFB885E
            SHA-512:9C852CEB10857C8C2465EF610C0B7BC9405B6B45F1FBEB8CE92FDAB55AD2DF696D3094EBB1D85799DCDEA5C659E4D587E1971BD9ABB5E1B56128F746FEBB7E4A
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................6... ...@....... ....................................@.................................t6..W....@..0....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`....... ..............@..B.................6......H.......`3..............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....).......PADPADP..4./Y....W...{.. V.U~...:..d&...O.n...........r'........'C...z..asY.h._.f........E+.........>..*...+...5.=.6..8<w$.@+..Q...fg0lk..Fl...l.w~|.+.|}.|....u...............>...........R.......v...w...-...!...............

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.EresSystem.v1.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):11776
            Entropy (8bit):5.106406893052312
            Encrypted:false
            SSDEEP:192:feGC/YERElVvAb9RC0hWO6a1FEugrnzc0yA+uDRutR:f+/DCUdFErjzdiD
            MD5:9F85661DE869A6DB3D3401A41B5CB286
            SHA1:143D12C749B39E034402D69DBDD3BEF6C13AA716
            SHA-256:6776A401C496C291034E68DC6A7D83F25BF501AF547CC45E6951F91657766091
            SHA-512:A11A29A2B2A72936D2483BE569C5F757F068977162317C2829CBEC7E80ECAA8204E4D4F147992E20A170EDAFD22039A217CF4BFA539816916804C246A13017E9
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.....&...........D... ...`....... ....................................@..................................D..W....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................D......H........A..............P ..@!..........................................<!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....W.......PADPADPm. ...?.D.N......Y.....jk..f....X.;....h..Y..E)..*..fv...T.V.L.85i.h)..........d&.....~N.....e....~.'...-.g..x..~....i=....r\..p"=.....y.....z.....w`...-:..C...?....>.R. .........us....F.]0...WT.0C.....!..j!...$

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.ImageViewerControlLib.v1.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):8704
            Entropy (8bit):4.520533879540501
            Encrypted:false
            SSDEEP:96:VgjXgg3y+FsZHM1AUlVtnbdhJ0aU8HrNWF4+rg/9ByYvn80gNhM5R8zq0lJYyRwB:2jgQsZHM1PVtnbjG493dvn8xYAbNh
            MD5:50CD89ABF877E60A671D325E7C916B40
            SHA1:29F3680B4AAA2AF336B84666BBA46C36ABE8FDD2
            SHA-256:61FE3FE27ACFBC517FEFE33359D5D81884EC0D1955DF75E20D9C9663ACCE6A1D
            SHA-512:CC38EB14795BB81094E0DB24E74BCE9369EDB84BB8B5CC2FFD7C3803F1BAA9887AED45BFFB48E9DC622E44C5CCF090DAE09F2B43CB12EB2D8A28527ED723D31E
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................5... ...@....... ....................................@..................................5..O....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`....... ..............@..B.................5......H........2..............P ..E...........................................A..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....K.......PADPADP.b................[.....q.......rx.$........ ...I..pZ.h.B.....h...|d..WY.y......xA..]....nw..j..px&....6.3.y...i\..T}.b)..C...nY.....c.......rF]..k].h.v.....d5..#g.......G#6!.-..r-m..-,..-2v<2..89.!9D.99...;qZ.B'.WI

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.MRInfrastructure.v3.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):9728
            Entropy (8bit):4.734279880904037
            Encrypted:false
            SSDEEP:192:2SSS5H2JAcdR0XQlsPy0rTtvqV+EhLjtEM:2SSm2L0AsPyIpiEM
            MD5:25A608308C931C58680B648BF460098D
            SHA1:41047E72A6EF69FC3B8098490B636B695724D008
            SHA-256:D36FD3F29AC35F7E35338BF9F1D8A9A1CAA6320D49EF11E06CE63818073F9DC7
            SHA-512:6A85E2AB77FB30C00AA9F2DA223C89F94507980FF222D371C67DF929939E0080658B0BB4C438DE1E84E1D3D3979402A838BB841A31C6FEE62C49D7AFED612AD7
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................:... ...@....... ....................................@..................................:..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................:......H........7..............P ..8...........................................4..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....Y.......PADPADP&._.\.G.UH........Y.5.v....q...T............'..(....w.......>....... .T.s.u.......f.Xb...f=..yd..1..G...+.P....4r.....x.O...........-......s2....t.\..y.....u.Y.v.Y.S.h.S.0....|...}....I...\..S...,..d.g._.m.i..

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.DBManager.v4.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):14336
            Entropy (8bit):5.136085221373186
            Encrypted:false
            SSDEEP:192:6blkofdhYrFiydm5fSsgXLk4t6oArQ5qcHBNVfZxOkzsTUsGSEVM7SX:olkKdhv2m5ftgg4tqc5thNVfnoGNo8
            MD5:960B4D144C8FB7222E64E2FF4BFC3394
            SHA1:2257E2E9607A821E0A002729444B2AFD715D3DF8
            SHA-256:F3079B59292BCFFF39A14633C3EEDC10824EBBCC1CA3814BC4A0546E84440C3C
            SHA-512:32282EF1D9874A2EF0D96B3CF153E96C00B1809E643570B03E6C748FB54E80E471D8A0E6613B283E5FD5D039A400D2D627A4B1E2D57D70A99D028143EEB42B72
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................M... ...`....... ....................................@.................................tM..W....`............................................................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..B.................M......H.......pJ..............P ...*...........................................*.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....w.......PADPADP..*Cc.....S...J.....J.m...........+.I.X...'..)JL..8[.~......E.F..e..z.a..t....4..Y.;..._...H....yt.p.f.........,.......}:I..R.....4....... 0...t.N....u.=L...&......K...O...@.t....C..v.s.B.m.]`..hx..8....,.U.-.....

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Launcher.v1.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):6144
            Entropy (8bit):4.107043895945408
            Encrypted:false
            SSDEEP:96:kB1NGf38G28LzRsQ0qfUaPAmX+k+w+L4cVA3qCflX+yrQ:k/NGUG1zwqsaPAs5l04c4trM
            MD5:6A54B63D44807C1D2E95E8FBBE40E2D7
            SHA1:9535D246327D20FB13027B6543A4906195D5F249
            SHA-256:CDCAB099B7C200B5729E6F23A6DD4585056E487B158EEECD8106FCC991DE3CDA
            SHA-512:06E1690056BC6DE46B47CF7FED8893533E6763AD55E8CFE8C6E11527BDA77C06E064315979E8C552CBDF0364A3CFAE77B3ABC93A44915F3BBEF0219C4D83C14C
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................,... ...@....... ....................................@..................................,..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........)..............P ..4...........................................0..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.K..Qr......n......e.p......"..e@......L.o.....s......Y..%G. .|..l......r....J....l(.F,K..Hr?MKr.s.|]...+...c...............;.......f...........N.......".......t.......7...............^...................V....A._.H.e.l.p....

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.Logging.v4.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):13312
            Entropy (8bit):5.011389665559604
            Encrypted:false
            SSDEEP:384:aY1cOjJGZyogFtvGnO1JzUdqBlNKOOwyXHV9qUfoymZH/:N+OjoltOxKOOn7gf
            MD5:9B8DFFD887EA5BCA50FDAA54CB447DF4
            SHA1:C54456A53B427A7F0F972B63ADD3D339DCE64382
            SHA-256:BDF06F8C5200D9F19D0FC5BEFDAF97AC98AA90AD27CD59A79714295502BB29D7
            SHA-512:AD5F1593AF9A1D22FD4602BAE1D68DBF37E2592C4EAFBF6FE26BE597A978A5B4406FE78C888AD6175D44CEDDD40DB247D4FAE0A8A8E22C0888FA06D75895A268
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.....*...........H... ...`....... ....................................@..................................H..W....`............................................................................... ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H........E..............P ..5%..........................................1%.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....}.......PADPADP.y.A...V..<1.P...A..........0D.......X.....Y.....o..Y..[s.z..s..............{i....c..................gH..gF......h..s..I...@.}:I...........\..)..d....T..6Q.(.R.....]...Z0..i=.....o......;...r.........v.t...W..

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.TreeBasePlugin.Interface.v4.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):5632
            Entropy (8bit):4.0724086487921065
            Encrypted:false
            SSDEEP:48:6Z2H2mGasap34H3P2l712yv5BH1lO7ckSakGcyGxOjo/s1/Qlt/jsYhg/jiA/B+:rWmGaL34X+l71xdlObwyoOWeQXfhi1
            MD5:DF7AB16AFC3D0F49CFA7FCC164E6BC7B
            SHA1:D65118D711265476DE072F820B25611E972BD017
            SHA-256:F6FD0B8494025904B09D739CC80A44458EE48A20F641AA3357E5B68F2F0B973D
            SHA-512:90915260CE916F83235D3D7E04C3A41B1C9334BCC9A71E01C98CD4368BD90F1BE5C77B286375AC395DD338FF7D685B244EACEB1B20E4B7DF5D7D47803FCEAE06
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................*... ...@....... ....................................@..................................*..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......H'..@...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP/.?..|t.&ps.m@.n R.e..V...3....y.).W.-st30...cM\.g..(o....f...........%...........D...3...%.......s...s...J........C.a.n.t.E.x.p.o.r.t.N.o.d.e.T.e.m.p.l.a.t.e._......C.a.n.t.I.m.p.o.r.t.N.o.d.e.T.e.m.p.l.a.t.e._.M...TC.u.r.r.e

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Plugins.UserManager.v4.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):30720
            Entropy (8bit):5.445436048336749
            Encrypted:false
            SSDEEP:384:KbKtw/1xXI9ELgcFJkLONb9hBF+jGu/bPL3qaQjMJaEH6Gyg:Y9xBg3LOx9hBF+6u/Wxg
            MD5:E3806A22053BE1B1544C33A9B7F26370
            SHA1:A3DE4FA7B2BD3AD0BDCF7B38B5493AD7742E23C3
            SHA-256:BB59D50AC9767B09B851EB946A29472A316856DEF1A5FE9E161AF75F3BCEE438
            SHA-512:ED03FE622DB3C2D74A8570674A2EBEFEAD926F63CD37CDD0BD76FA9691E04B997B299DD12069D5828220CDE322F249E08C3C624976A8D63145F0E27941A7B58E
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.....n.............. ........... ....................................@.....................................O.......0............................................................................ ............... ..H............text....m... ...n.................. ..`.rsrc...0............p..............@..@.reloc...............v..............@..B.......................H.......................P ..?j..........................................;j.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..!..a...e....V.@...XD..$Z.... .N....x.G.vNX.8....x.8.....3...j.I.....;...A..Qr.........r................x)..e@...k....\......a.h.....e..n..U~..3.]...........IY^....&>g.*..V.L..:.+...u.&.*..|...k.+A#..CM.C.D.

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.RigakuCommonTools.v1.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):289280
            Entropy (8bit):5.543467004589175
            Encrypted:false
            SSDEEP:3072:rvIJ+R876hCR2J9FuYRK9aOOAgGZt/XhN+eoNNys4oWM/krDBMofgYtw7Y8iSC5R:76hgGZgWorkrKHYW0RSCO
            MD5:D732F039B9B940BE4D09B46DF8A0ADAA
            SHA1:E5DBC34683AC725AD79537DC45198C23BD02BA47
            SHA-256:4D0C472EAA46B371A15E404900B9A1A2B9D1535D12C4C8C4CEA5301AFD651F0F
            SHA-512:73BB5C00BBA0979F3FB4048A02964F18FFDB852D528FC657507C4574C6722319D75724651D8F910CA86408688DE0340E3E0DDCC5CC596F884F5B3E9FD15F24F8
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.....`............... ........... ....................................@.................................`...K.................................................................................... ............... ..H............text...._... ...`.................. ..`.rsrc................b..............@..@.reloc...............h..............@..B........................H.......\|..............P ...\...........................................\.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....x.......PADPADP..... ...i3..(R..MT..c..:j..oo..L...*.......k.'...h./........-,..U-..]A..OR..........O.0D.....vy....7.7.;...b.G7d.N.i...t...u.c^........\s..N..Z..Uf.....G...U.-.]..|......A...@i..<.tY...'...d...F..8.$...*..yB...M.

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.DBDataService.v4.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):10752
            Entropy (8bit):4.880628364330292
            Encrypted:false
            SSDEEP:96:5LtTo8Gy8chtCCoUaVicVl8HfDfM+f2X5TwL0S3JrZGrGmzPo4Dpx2IbV8gWe3iT:55TpGy8cc8VRVGrGUpxyr5MNoVxgO0g
            MD5:DE2FA5940EF0629EE0D05453915F3158
            SHA1:05D6A23098C9845E058FA5F709E388AE942219B9
            SHA-256:C180AA657751C93E2CB1CD64BF7C5269B29862C460AE64C058912990AB88E41F
            SHA-512:DC9F672D1D43148BE1EB3C554A7AAFEC76693491B76172BD89DD3A57692B594565A1D557A17B468F4A54E4BD1CBB9F21F916C2CE2F52C9694662BF202C067684
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!..... ...........?... ...@....... ....................................@..................................?..W....@..H....................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...H....@......."..............@..@.reloc.......`.......(..............@..B.................?......H.......|<..............P ..+...........................................'..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....?.......PADPADP.!..."...iM...K...C.u..*w..........I.......7.....E.s.>U...~.. 0._..._8....=hb..x.t._..l.r..._..2..ED.>B............\Tj.R. ..L.......a..op..WT.ow...Dx.... .u.-...8Z0:;..=.B.CO/.D..G..pI.'.J...Q..1_..1b...c...d

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.Interface.v4.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):4096
            Entropy (8bit):3.2377674711239286
            Encrypted:false
            SSDEEP:48:67ZHSZlhK7oyYxOXuWE1MMZE14loE1j89OE1jPuE15+:GqlPy+OXq1614J1mV1h1
            MD5:DAE30518754210E3D6704843484BAC1F
            SHA1:1F61871851FE7D99B15F78D1AFB656B7E2C150FE
            SHA-256:F1D666F8DF34F279D76DC8E66352949682C6457014D5D957BF7E0CE30F4897AC
            SHA-512:3D4183A9673D1334A7BB2B4BA2A68F241B77C5D303A151BB4F493999C84EF07B6175A30A94EB4BE00FFD17D717A119BCC5EBA519B412BB51AB7228CB807B8FFE
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................$... ...@....... ....................................@..................................$..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H.......`!..L...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..*.i80..............P.a.g.e.B.r.e.a.k......P.a.g.e.N.O.f.N.............{0} / {1}...BSJB............v4.0.30319......l.......#~..P...l...#Strings............#US.........#GUID.......x...#Blob.....................%3........

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.Services.ReportingService.v4.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):13312
            Entropy (8bit):5.053075855932834
            Encrypted:false
            SSDEEP:192:pUo2s9NoL7Py9tqRtLTtOTTGjgWn2kmBY:+9srofPyALTYTK8Wn2jS
            MD5:285A85041FDD8152C1C8791496953319
            SHA1:3A7D797E4505A473FEA8EB45DB0E415279C3D124
            SHA-256:6214F9128FEDA2707E08E361287D2A0A95664965E96F3EE7C5A346DD0ABF1E03
            SHA-512:C1816FD5FA5C40C727D3BF40FA54C343C6D5FE0E0DB69F8E2E1B6024682374A6834EC2BE943BBE4DD87C1ADBB55190890A7192A1FC6223E4F9797B2B12DAE0F9
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.....*...........H... ...`....... ....................................@..................................H..S....`..h............................................................................ ............... ..H............text....)... ...*.................. ..`.rsrc...h....`.......,..............@..@.reloc...............2..............@..B.................H......H........E..$...........P ..2%...........................................%.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....|.......PADPADP>."...O....W.......q........%...,.@..W.........IW...Z.......y...a...q.Y......[.P...2..}...i..z...H...NZ......f.-.....k.J...~.....=L...V...@..C.w.e....Q..P)....j.B.......l...q...~...{..9...H....*...1.PrY.WrY.asY.5.-.

            C:\Program Files\Rigaku\SureDI\ja\Rigaku.SignatureLib.v1.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):6656
            Entropy (8bit):4.776973438138001
            Encrypted:false
            SSDEEP:96:K7b51aDvQJsKHQPgqcHpD4LFpv+D/AwVqfGZIEaodWsglLy5qcSyWI:KR1akuKHQPoAwWEj
            MD5:822824B0D21297753AA2B2F304DC5759
            SHA1:1E6E8E7FE54732146003F2F7F326E35BA947167D
            SHA-256:70DD49186A98AFF6613FFE3BFC41B446CA04781E71BC497A6CC88E07D923A9B1
            SHA-512:31FBC576B99C28F3B3B71AE00926AD64368B39B99170D5670BB1C7AAE862EFA40BD490F090C7F3FA3CCE33C4F82F64FAD5E82F7C28CD34EEB41F930C2D517BDE
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!.................1... ...@....... ....................................@.................................d1..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H.......x...............P ..(...........................................$..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....0.......PADPADP^.....c...E..&...H.....O.......k.........M..R......~..x.er..<.;....z.-....I....q.."dX..v.....(sY.asY.Nea...h.....f....@b..Y........."...+..M;ID.F.^.F...J...T...T..yW...Y..c...i..m....A.......z...........3...g...R...

            C:\Program Files\Rigaku\SureDI\ja\SureDI.v1.0.resources.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):48128
            Entropy (8bit):5.442219112867948
            Encrypted:false
            SSDEEP:768:U1Jfdfi+prPQK9SJn57LeRrakeSz9SC2O:G9dfi+prYSSJn5O089SC2O
            MD5:57291574BBDB2411B9C384251C0B156F
            SHA1:0DE53FC46179F89EA41DC9741286D5F166D3C958
            SHA-256:CB29FFECD9C21A927CD29C162895AF22D04089EE6F636E5A3FEFB2A056A204E1
            SHA-512:5B23A800B8EEC2A33E162DB107D50AC6DEA9BF3D9A8A92B52E325D0122C1F14D41A6F7D4F7B28443C00DADE6B06BE2A4919290CDCF55F523F319CDD8A4DACB04
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e...........!..................... ........... ....................... ............@.................................4...W.......h............................................................................ ............... ..H............text........ ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B................p.......H.......d...............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....y.......PADPADP.Q...n....Dh..H.......#.G 6.T..`.\...........!z.4..!.....5.8....-...........q.)`.j...c.E.....D./Y...O^.To..5A......(./.#)..Z.y.-"2.]..J...I<j....;..'..|.o.Gwt......E)..U..N..b.. V...j.....p.....h...t.

            C:\Program Files\Rigaku\SureDI\tbb.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):433536
            Entropy (8bit):6.0191087567842745
            Encrypted:false
            SSDEEP:12288:k5emtCIr9xTV1T0R862ZLDwaa9b9WHVrydhx:k5jta9b0HI
            MD5:2BD21BDCCFC3444E7C1F7AA730FF952C
            SHA1:94445A07FFDFFFB5A0444244226E3CA85C9595F2
            SHA-256:BB743D9931AF36EE0DEE1ACF28B5518F8323A1171535FE00751C460AA81130C6
            SHA-512:5C9FF3BA40B08572CF552960F899E6898479B75675A3E1E21179B9DAE9125358DFF9E7E1075D2A1C95ED992B7111751422D4CE7E95953028F5CBF4D399B0F63D
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R.J.3...3...3...Kd..3...U...3...i..3...m...3...m...3...m...3...3...3...m...3...3...3..Zm...3.._m...3..Zm...3.._m...3..Rich.3..................PE..d....?.\.........." ........................................................ ............`.........................................@i..LA..............X....@..DC...~..........P.......T...............................................p............................text...L........................... ..`.rdata..............................@..@.data....q.......P..................@....pdata..DC...@...D..................@..@.data1..84.......6...2..............@....gfids..4............h..............@..@_RDATA...............j..............@..@.debug_o.............|..............@..B.rsrc...X............`..............@..@.reloc..P............f..............@..B................................................................

            C:\Program Files\Rigaku\SureDI\wupi.net.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):13216
            Entropy (8bit):6.018363347633573
            Encrypted:false
            SSDEEP:384:HYhFkConuSm15fh4S34z3mirILIhebCP1wYLa:H4FkConuSm15fZ34aIILHbCNw8a
            MD5:4B5546B542E84F5733A5B350BCD5EFE0
            SHA1:BD6DCDBA9F3D84B179E2943E309FEC4CFC86E67C
            SHA-256:23C06B6AC9ADA5FB4CC216499F73DA6816670C65F081BEB2EA9C5A2C971612BA
            SHA-512:18710F4FCAE9A4CA0BCF62BA611939F9E1F9709B153E836B4B342F5EB6AB03B82BE9076652E189EEA5C05B5CF0C31704A6354F7585274AD3B5F9392DFCEFF364
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....P...........!................N2... ...@....@.. .............................._^....@..................................1..W....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................02......H.......X#......................P ......................................`..q....lA[.b..\.i.u..O.,4t.kR.5`P.6.~.......4..~mr...g..m..\YH.mT..&&...KQ....l.K...T%.........N...F.1}Q..,.k...?.y.K..-.....(....*..{....*..{....*..{ ...*~....(......}......}......} ...*f..o.....o.....o....(....*r..}!.....}".....}#....(....*...}!.....}".....}#....(......}!...*...}!.....}".....}#....(......}!.....}"...*...}!.....}".....}#....(......}#...*n.{(.....d.{(... ...._s....*...0..9........{$.

            C:\Program Files\Rigaku\SureDI\zlib.net.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):69632
            Entropy (8bit):4.568464702208584
            Encrypted:false
            SSDEEP:1536:cwPWz/GiVyPVO17058vwphJaV9I/KZ73WmTm:cwObVwOvwpKI/KZ73Wma
            MD5:5C677EBA3A7A05C0BC22288198C19383
            SHA1:10F7A6933A3ED04B274FB10ED58FDFC8D6FF783E
            SHA-256:4167B599F36AF0781B81563BD2179A6D35DAA3145F0B6F99AC6D9EE1894B516A
            SHA-512:ADEE15BE8AD17789D3934B2A29FD0FB6C42132074E385470451EEBCAA44DAD86F16E530E808F2544A366861FF0BE703EEDB19DCE57CB9DEA47D19D62F1A817ED
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......E...........!......... ........... ........... .......................@..............................................d...W............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\ProgramData\Microsoft\Network\Downloader\edb.log

            Download File
            Process:C:\Windows\System32\svchost.exe
            File Type:data
            Category:dropped
            Size (bytes):1310720
            Entropy (8bit):1.3073494552756486
            Encrypted:false
            SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrB:KooCEYhgYEL0In
            MD5:5528F88E030071C924E0A7EEAC156616
            SHA1:969FB46AC77C654E6CF099C97DB590F285B8C583
            SHA-256:C9145F786E2EA1557255E12438768BF313A2D3C5A0E50A3F7FB2B6A03F275832
            SHA-512:A0628AE152CA3EBC964167448D3069AC5D1D51AD8163E096C4962BCCDD689EE9F7845BDE7814611684C68B2742E891B33A9FD81647EEB3F0D7BC017D24F41E23
            Malicious:false
            Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

            Download File
            Process:C:\Windows\System32\svchost.exe
            File Type:Extensible storage engine DataBase, version 0x620, checksum 0xeef88e3a, page size 16384, DirtyShutdown, Windows version 10.0
            Category:dropped
            Size (bytes):1310720
            Entropy (8bit):0.42217556710408705
            Encrypted:false
            SSDEEP:1536:RSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Raza/vMUM2Uvz7DO
            MD5:413FD8E8381774CD46CCB3669FFF43BE
            SHA1:9058959CD9B627C4C3F093C72BB81033A12EC144
            SHA-256:A6356304EDB1ECCBD6D6A7B245560A561753DBD171D6A4371C279E02C34F9D49
            SHA-512:4A23309BD2D5EBCF550A7ED5CCA2890C993560F2734BFA8838AD3D340E24F3D51DDD0358AEAE0909721A88C41D08D59D62D8F05C5BB5A8A09B606F8FCA4CAA65
            Malicious:false
            Preview:...:... .......A.......X\...;...{......................0.!..........{A......|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{....................................]......|..................`.N......|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

            Download File
            Process:C:\Windows\System32\svchost.exe
            File Type:data
            Category:dropped
            Size (bytes):16384
            Entropy (8bit):0.07639603800723768
            Encrypted:false
            SSDEEP:3:5fGlKYeZguhajn13a/GzllllollcVO/lnlZMxZNQl:5fyKzZrha53qo/AOewk
            MD5:9E26EAB123589A79C54E83EB599D6611
            SHA1:4F46CE0066F7B9FC957D1FC454DD2CD60A2C64C6
            SHA-256:EC1B5403A36CB84925EF4AFD7BC49D63F5DB3C00401DA1C03F92516BE13D2AD6
            SHA-512:DCE186F72A16948DFD06D8687A7913DC9605F679DC2F9D2F82F5E33CAB2D78061E392C713F52FD22CC74888C04886646EA4AC06D178D2FAC90DDD15952F8A6FF
            Malicious:false
            Preview:S........................................;...{.......|.......{A..............{A......{A..........{A]................`.N......|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rigaku\SureDI\SureDI.lnk

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 20 13:58:04 2023, mtime=Tue Oct 1 09:19:57 2024, atime=Wed Sep 20 13:58:04 2023, length=503296, window=hide
            Category:dropped
            Size (bytes):1042
            Entropy (8bit):4.6037604279204905
            Encrypted:false
            SSDEEP:24:88a856dcX8wFXi/xXfUAsQdNTYJxsG0yfm:88aVd5xXfj3dNTfGn
            MD5:D26F61B718EB3700673D957D2EFEDC1C
            SHA1:CE353AAE4C1D35892B912C89648932BB15A5906D
            SHA-256:3A914E4B74D77DB124D1EEEFD78E9A384B3187AD917794E96263339C6563B29D
            SHA-512:0C2E74939851D4E68051A15E8E074D4B1F56734C88B7F3D2EA57A09C8C33BA3098E0008A442F0E1245593D95790B3FA8FCF568A2EDD58BC3EB323CC257D6F253
            Malicious:false
            Preview:L..................F.... ....f[.....-d.v.....f[..................................P.O. .:i.....+00.../C:\.....................1.....AYsR..PROGRA~1..t......O.IAYsR....B...............J.....*.\.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....AYsR..Rigaku..>......AYsRAYsR..........................*.\.R.i.g.a.k.u.....T.1.....AYzR..SureDI..>......AYsRAY}R.... .........................S.u.r.e.D.I.....l.2.....4WBw .SUREDI~1.EXE..P......4WBwAYyR.....G........................S.u.r.e.D.I...v.1...0...e.x.e.......]...............-.......\...........Qk.......C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe..@.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.R.i.g.a.k.u.\.S.u.r.e.D.I.\.S.u.r.e.D.I...v.1...0...e.x.e.........&................c^...NI..e.2.......`.......X.......390120...........hT..CrF.f4... ........,.......hT..CrF.f4... ........,..............A...1SPS.XF.L8C....&.m.%................S.-.1.-.5.-.1.8.........9...1SPS..mD..pH.H@..=x

            C:\ProgramData\Rigaku\SureDI\MonitorServiceLogsv1.0\Service.log

            Download File
            Process:C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):432
            Entropy (8bit):4.8763900450795665
            Encrypted:false
            SSDEEP:12:DR1nQ1DhKRNiWQeePBC9wagXGmA/KRNFCnQeDC9wagXGmA/KRNFCnQsGv:9q1DheNiZeEBRrXGmAmN4QeDRrXGmAmP
            MD5:A11B7E5B4E631BEF17234320DC7F9FB2
            SHA1:53346753BA113D764AF25EEF9DB5B6EF2FB20B53
            SHA-256:684041AE4951278689DAE8AF917597471DA092A20156A270A195AA42441BD7B1
            SHA-512:8FC2934271E9454852A22E8627BAFB7A8EE40059455FC5263A3353FA9C3943D0915375D0D1D0E1E37FBC42C2F22557A330A92B4B0AC7D87BDE7935F55AFD3016
            Malicious:false
            Preview:Information: 2024-10-01 06:19:57 --------< Rigaku SureDI Monitor Service is started >--------..Information: 2024-10-01 06:20:32 Checking if Rigaku SureDI Monitor is already running or not. Process name: 'Rigaku.EresSystem.Monitor.v1.0'...Information: 2024-10-01 06:20:32 Rigaku SureDI Monitor is starting. Process name: 'Rigaku.EresSystem.Monitor.v1.0'...Information: 2024-10-01 06:20:32 Rigaku SureDI Monitor started in session 1..

            C:\Users\Public\Desktop\SureDI.lnk

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 20 13:58:04 2023, mtime=Tue Oct 1 09:19:48 2024, atime=Wed Sep 20 13:58:04 2023, length=503296, window=hide
            Category:dropped
            Size (bytes):1018
            Entropy (8bit):4.629540754192843
            Encrypted:false
            SSDEEP:24:887p856dcX8wFXmXfUAskdNTYJxsG0yfm:88lVd9XfjDdNTfGn
            MD5:0AAC0A899D2A82CB9FBC44CD87575683
            SHA1:9D6BD9BA0FF1E237EE6BFE226E000A1E20BEE25B
            SHA-256:BB1383A433501D7EC8219C069ADB8B7AF4B82A82160484D1F824D47559311E82
            SHA-512:DD9FD8D5AE2B66DE1F77A4BAA02D30D239D34C3E2AB7D9D53E1216916F6A983124EDEAC5D949DC84D5996DA6B4C9D070B0E86849F72500999887D0F4730D5D1B
            Malicious:false
            Preview:L..................F.... ....f[......+.r.....f[..................................P.O. .:i.....+00.../C:\.....................1.....AYsR..PROGRA~1..t......O.IAYsR....B...............J.....*.\.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....AYsR..Rigaku..>......AYsRAYsR..........................*.\.R.i.g.a.k.u.....T.1.....AYzR..SureDI..>......AYsRAYzR.... .........................S.u.r.e.D.I.....l.2.....4WBw .SUREDI~1.EXE..P......4WBwAYyR.....G........................S.u.r.e.D.I...v.1...0...e.x.e.......]...............-.......\...........Qk.......C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe..4.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.R.i.g.a.k.u.\.S.u.r.e.D.I.\.S.u.r.e.D.I...v.1...0...e.x.e.........&................c^...NI..e.2.......`.......X.......390120...........hT..CrF.f4... ........,.......hT..CrF.f4... ........,..............A...1SPS.XF.L8C....&.m.%................S.-.1.-.5.-.1.8.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM..

            C:\Users\Public\Desktop\SureDI.lnk~RF4d85e2.TMP (copy)

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 20 13:58:04 2023, mtime=Tue Oct 1 09:19:48 2024, atime=Wed Sep 20 13:58:04 2023, length=503296, window=hide
            Category:dropped
            Size (bytes):1018
            Entropy (8bit):4.629540754192843
            Encrypted:false
            SSDEEP:24:887p856dcX8wFXmXfUAskdNTYJxsG0yfm:88lVd9XfjDdNTfGn
            MD5:0AAC0A899D2A82CB9FBC44CD87575683
            SHA1:9D6BD9BA0FF1E237EE6BFE226E000A1E20BEE25B
            SHA-256:BB1383A433501D7EC8219C069ADB8B7AF4B82A82160484D1F824D47559311E82
            SHA-512:DD9FD8D5AE2B66DE1F77A4BAA02D30D239D34C3E2AB7D9D53E1216916F6A983124EDEAC5D949DC84D5996DA6B4C9D070B0E86849F72500999887D0F4730D5D1B
            Malicious:false
            Preview:L..................F.... ....f[......+.r.....f[..................................P.O. .:i.....+00.../C:\.....................1.....AYsR..PROGRA~1..t......O.IAYsR....B...............J.....*.\.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....AYsR..Rigaku..>......AYsRAYsR..........................*.\.R.i.g.a.k.u.....T.1.....AYzR..SureDI..>......AYsRAYzR.... .........................S.u.r.e.D.I.....l.2.....4WBw .SUREDI~1.EXE..P......4WBwAYyR.....G........................S.u.r.e.D.I...v.1...0...e.x.e.......]...............-.......\...........Qk.......C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe..4.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.R.i.g.a.k.u.\.S.u.r.e.D.I.\.S.u.r.e.D.I...v.1...0...e.x.e.........&................c^...NI..e.2.......`.......X.......390120...........hT..CrF.f4... ........,.......hT..CrF.f4... ........,..............A...1SPS.XF.L8C....&.m.%................S.-.1.-.5.-.1.8.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM..

            C:\Users\Public\Desktop\~ureDI.tmp

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 20 13:58:04 2023, mtime=Tue Oct 1 09:19:48 2024, atime=Wed Sep 20 13:58:04 2023, length=503296, window=hide
            Category:dropped
            Size (bytes):1063
            Entropy (8bit):4.66328980635265
            Encrypted:false
            SSDEEP:24:887p856dcX8wFXmXfUAskdNTYJxsGsAyfm:88lVd9XfjDdNTfGsL
            MD5:C656BD62FCB4F67E9B0A10DFEEB26FA1
            SHA1:52422E10E0EEB5DA41032439E3AA71522F4388A0
            SHA-256:452A096BD718758D3A1B39B6A42EF167375274D9B4D1809A357F2CB541160189
            SHA-512:2D6A7E26FFFAE21D525D3D9AF268AF43EC83A04EEE34540ABB8C4923B64E733B8D6EF5D4DAB295DCE72987362C94CE3DAE7076054425B3072CCFD0DD57C11BAA
            Malicious:false
            Preview:L..................F.... ....f[......+.r.....f[..................................P.O. .:i.....+00.../C:\.....................1.....AYsR..PROGRA~1..t......O.IAYsR....B...............J.....*.\.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....AYsR..Rigaku..>......AYsRAYsR..........................*.\.R.i.g.a.k.u.....T.1.....AYzR..SureDI..>......AYsRAYzR.... .........................S.u.r.e.D.I.....l.2.....4WBw .SUREDI~1.EXE..P......4WBwAYyR.....G........................S.u.r.e.D.I...v.1...0...e.x.e.......]...............-.......\...........Qk.......C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe..4.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.R.i.g.a.k.u.\.S.u.r.e.D.I.\.S.u.r.e.D.I...v.1...0...e.x.e.........&................c^...NI..e.2.......`.......X.......390120...........hT..CrF.f4... ........,.......hT..CrF.f4... ........,..............-...1SPSU(L.y.9K....-........................A...1SPS.XF.L8C....&.m.%................S.-.1.-.5.-.1.8.........9.

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MsiExec.exe.log

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:CSV text
            Category:modified
            Size (bytes):4676
            Entropy (8bit):5.358330212238719
            Encrypted:false
            SSDEEP:96:iqaqKkKYqGSI6ozajtIzQ0cxYsAmSvBjwQYrKxmDRtzHfq10tpDfq1q1iNLhCwy8:iqaqKkKYqGcRIzQ0JyZtzHfq10tpDfqT
            MD5:35375A4F96F252337CBBEBE7AE23E8A4
            SHA1:D412921ACD539346B3280C59AC7322899D4B8EBD
            SHA-256:1748B55A71E1A40C747BDAEF11633DC4CAFF2864D90F74B4EED6045389B07884
            SHA-512:8B8E66101FFC086F7F19FCEF1BADFDCF75879586A92A6F4790B0E7830B3BEC7066A25763F46CB2A474E1F4E7D5B42868454AC08DAD3DDA172A643FE227D32657
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"Microsoft.PowerShell.Commands.Diagnostics, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\Nat

            C:\Users\user\AppData\Local\Temp\66808c52-1f80-4752-941f-ce1c7f2e7b0e\AddRule_SLSII.ps1

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:ASCII text
            Category:dropped
            Size (bytes):511
            Entropy (8bit):5.230317586540388
            Encrypted:false
            SSDEEP:12:AMzJ8HC2S1mJ4t0uJ4TCAWMSHCXw50KuoGmeeMeZ/:EHjSDJIDSHYyxD
            MD5:16E9F6A53C3810762EAC59D894C1FC75
            SHA1:BD87787D1BA10FF18EBE23427A5C52340D068E42
            SHA-256:9851936993A0F4F445A717E2272EAB717FE00C64AE03ED520B8BD0DB2C41BB00
            SHA-512:D8839097505148E136524A29994BBCF65812320BE949360D999BF00CE0D01416AA762BCAD26554A209DCD3B9BCCD10DAA43E1CCF5241BAD61D1237A1EF4EECEA
            Malicious:false
            Preview:function CheckandAddRule ($name, $port, $protocol).{..$rules = Get-NetFirewallRule....$par = @{..DisplayName = $name..LocalPort = $port..Direction = "Inbound"..Protocol = $protocol..Action = "Allow"..}....if(!($rules.DisplayName.Contains($par.DisplayName)))..{...Write-Output "Rule will be added"...New-NetFirewallRule @par..}..else..{...Write-Output "Rule already exists"..}.}..CheckandAddRule "Rigaku.SQLServer.EndPointPort(TCP)" "1433" "TCP".CheckandAddRule "Rigaku.SQLServer.EndPointPort(UDP)" "1434" "UDP".

            C:\Users\user\AppData\Local\Temp\MSIFDE6.tmp

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):156928
            Entropy (8bit):6.026110732768864
            Encrypted:false
            SSDEEP:3072:jMDwFKjZflbbgcS6Kbd1g+GCnm0CxiPS7jJ2:jkjrbkcSPybH78
            MD5:A7B832F632A3C7F5317C17C095C97437
            SHA1:4233053B7FA9E17850545519570EE76FBB8B04DF
            SHA-256:3D42CFFE19C21D9E10778819EF7A664A135B1115F0284DBC3EB4B49740B3B4A1
            SHA-512:CB89F84D86C2EB5DBCECA24E55BB054CD899BA368543DC81F3162D113BB056BD65244414EFF8379114C07CCFA7C08D6BFDDA8213C45F9B0188D5DEA42113F540
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y..7=..d=..d=..d..#d,..d.. d;..d.. d<..d..!d...d.. dN..d4.md>..d4.}d"..d=..d,..d..!d+..d..$d<..d..'d<..d=.yd<..d.."d<..dRich=..d........................PE..L.....yY...........!.....J..........F........`......................................x...............................p...E............@...............H.......P..@...................................H...@............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data...t1..........................@....rsrc........@......................@..@.reloc..JJ...P...L..................@..B................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5auynpys.tfe.psm1

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jo5bvn4g.h5s.ps1

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwrcodpi.d0n.psm1

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wi11rsnj.hig.ps1

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\wac36A9.tmp

            Download File
            Process:C:\Windows\SysWOW64\msiexec.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):182008
            Entropy (8bit):5.745001134941054
            Encrypted:false
            SSDEEP:3072:CIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYVdeZ2bgA/qrXo:2Un0mT8Sc/T4F1bnxg85
            MD5:8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
            SHA1:49199A62DE0EDA485B5287BAD469F92AD8EBD407
            SHA-256:4104FDE5404BFB3C5347B8ECDAEC89A2E746B1162DC75186BC79738805818C0A
            SHA-512:1393BD6C06C30DF7414494E5B06242445EB8AFDF5467C6A5E875F2C63506B0B581322B6444C6D8F06B39AA5B04D1C55A631CCF932DC6D5043296DD3ED3CD9FC8
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...6.yY.........."......X...v.................@..........................................`..................................................J..................$...................`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc................v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\0x0409.ini

            Download File
            Process:C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe
            File Type:Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
            Category:dropped
            Size (bytes):22490
            Entropy (8bit):3.484827950705229
            Encrypted:false
            SSDEEP:384:CTmyuV//BiTbh/Y4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/N/lWr0aa0Mhs+XVgv
            MD5:8586214463BD73E1C2716113E5BD3E13
            SHA1:F02E3A76FD177964A846D4AA0A23F738178DB2BE
            SHA-256:089D3068E42958DD2C0AEC668E5B7E57B7584ACA5C77132B1BCBE3A1DA33EF54
            SHA-512:309200F38D0E29C9AAA99BB6D95F4347F8A8C320EB65742E7C539246AD9B759608BD5151D1C5D1D05888979DAA38F2B6C3BF492588B212B583B8ADBE81FA161B
            Malicious:false
            Preview:..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

            C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\0x0411.ini

            Download File
            Process:C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):14958
            Entropy (8bit):5.199600266556664
            Encrypted:false
            SSDEEP:384:DKeEbO3nlKcDUK21OxgCvk3aV4ls8Gb8YVyl:DKtbO3lKcoK21OxgCl7Fyl
            MD5:831FE6D667B6F53826290536C987FE2B
            SHA1:71A6552DCD68C8606933F80B770736C5E8EDBDDF
            SHA-256:9E6D74A5CD777C12767959CD684A5A277930FC6FB109A0641E8D65570A7422D2
            SHA-512:9382F8BFE268167756A5D17D84CFD176C66F749BB13DE8369BB5F7697D6101DF08F01F188E9A0C3E465B1807B14251238467E358755C9C37958BBA4EF239945F
            Malicious:false
            Preview:..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.M.S. .U.I. .G.o.t.h.i.c.....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.1.].....1.1.0.0.=..0.0.0.0.0.0.R.g.S.0.0.0....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..0.0.0.0.0.0o0.0.0.0.0.0.0.0.0.0.0.0.0n0Kb...0T0Hh.QY0.0 .%.2. ..0.n.PW0f0D0~0Y0.0W0p0.0O0J0._a0O0`0U0D0.0....1.1.0.3.=..0.0.0.0.0.0.0.0 ..0.0.0.0n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r..0-..[W0f0D0~0Y0....1.1.0.6.=.%.s. ..0-..[W0f0D0~0Y0....1.1.0.7.=..0.0.0.0.0.0o0.0.0.0.0.0.Nn0 .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .n0-..[.0.[.NW0~0W0_0.0.0.0.0.0.0.0.0.}L.Y0.0k0o0.0.0.0.0.0.0.Qw..RY0.0._..L0B0.0~0Y0.0.0.Qw..R.0.0.0.0.0.0W0f0.0.0.0.0.0.0.Qw..RW0f0O0`0U0D0.0....1.1.0.8.=.%.s.....1.1.2.5.=..0.0.0.0.0.0....n0x..b....1.1.2.6.=.S0n0.0.0.0.0.0.0g0.O(uY0.0.....0!kn0.0.0.0K0.0x..bW0f0O0`0U0D0.0....1.1.2.7.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..0.0.0.0n0-..[.0.[.bU0[0.0.p.0.0.0.0.0.0.0o0

            C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\1033.MST

            Download File
            Process:C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe
            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: Rigaku SureDI, Author: Rigaku corporation, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Wed Sep 20 12:13:16 2023, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Security: 1, Template: x64;0,1033,1041, Last Saved By: x64;0, Revision Number: {12226574-52CC-483F-8DB0-E617C91F04D0}1.0.21.0;{12226574-52CC-483F-8DB0-E617C91F04D0}1.0.21.0;{D06C1535-3E12-40B3-B596-393FDCAC1194}, Number of Pages: 500, Number of Characters: 1
            Category:dropped
            Size (bytes):32768
            Entropy (8bit):4.385352392983626
            Encrypted:false
            SSDEEP:192:TcjOfj5NyQDbnPvy2sE9jBF6IYiYF8pA5K+o07KCT87QGRwjKa5:TcMNyQH38E9VF6IYinAM+oGKCga
            MD5:2B7D037A808E9051E98EF0DD4C644975
            SHA1:A42A87AD97BA65350439ED00F045AD3AED48DA56
            SHA-256:DCEF253EA41D7E67B8F8D526085EBA1D00045850FAD2315E26BF826C3993D2B8
            SHA-512:770367E92E7480D64EB655F67A86E64252C3DD74546C09543B214951D5FCF303A25107B3319B2ACAE121D808E2C9C9B013B018E08A89ADB46E5EBA576A721E99
            Malicious:false
            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\Rigaku SureDI.msi

            Download File
            Process:C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe
            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Rigaku SureDI, Author: Rigaku corporation, Security: 1, Number of Pages: 500, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Wed Sep 20 12:13:16 2023, Create Time/Date: Wed Sep 20 12:13:16 2023, Last Printed: Wed Sep 20 12:13:16 2023, Revision Number: {51A2CE23-9920-4B37-A131-F84FF84F0C0E}, Code page: 0, Template: x64;0,1033,1041
            Category:dropped
            Size (bytes):100685312
            Entropy (8bit):7.992972509961141
            Encrypted:true
            SSDEEP:1572864:QjXAXkIWhNpqLnKEOxAIRIacb9jNJT0wMydVzjqsAfsUrhcpGRL7CxY3G+XwY:QMXkBrqLBO/RIv9fT9HXcsUEGBGxYHV
            MD5:54CF529004F9E922D18F1BE812B01C70
            SHA1:9D30C52702EA2B9F83364B636E28951C068670D8
            SHA-256:EE22DB01767679BAFA8DB33DD37010B0F1F1BED2C89C1C179E45096982EFDB30
            SHA-512:8947072EB2148246124BF678FB6F848934A4A07329C0E22D8BCCDC8D27DF22862EFF1493B9775B80CE4351D84CC4ADED5954F19AB0D9610BEBE6F354F77E5860
            Malicious:false
            Preview:......................>...................................8........6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;.......................................................................................................%........... ...!..."...#...$...'...&...1...(.......*...+...,...-......./...0...3...2...5...4...I...6...7...>...M...:...<.......=.......?...@...A...B...C...D...E...F...G...H...L...J..._.......N.......O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^...a...`...q...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...s...r...}...t...u...v...w...x...y...z...

            C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\Setup.INI

            Download File
            Process:C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):5242
            Entropy (8bit):3.716767768245152
            Encrypted:false
            SSDEEP:96:rEhkMaEY4S/iWONvXsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAML:YhcWS/8cuQaEZhdxoIWRGcQbPr/p005L
            MD5:9342404BFAF486C2A4EFE42048A084AB
            SHA1:B1B87A59009807D64F6B5CC0FDF59997FFDACD3E
            SHA-256:BC888810AEE7F64C8AEEE7A3D3FC69B63ADFF951675CF801E06A570EDA45BCFF
            SHA-512:D0AB86F84B24CBA3B279377A591E51158D733E900A769ED42E5BDC3137413E45D9CABF5E575E07DECD81D3C46E567DFD5BE880798E407276D0BE27641635689B
            Malicious:false
            Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.2.....P.r.o.d.u.c.t.=.R.i.g.a.k.u. .S.u.r.e.D.I.....P.a.c.k.a.g.e.N.a.m.e.=.R.i.g.a.k.u. .S.u.r.e.D.I...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.N.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.1.2.2.2.6.5.7.4.-.5.2.C.C.-.4.8.3.F.-.8.D.B.0.-.E.6.1.7.C.9.1.F.0.4.D.0.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...0...2.1...0.....U.p.g.r.a.d.e.C.o.d.e.=.{.D.0.6.C.1.5.3.5.-.3.E.1.2.-.4.0.B.3.-.B.5.9.6.-.3.9.3.F.D.C.A.C.1.1.9.4.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.S.u.r.e.D.I...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.5.1.A.2.C.E.2.3.-.9.9.2.0.-.4.B.3.7.-.A.1.3.1.-.F.

            C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe

            Download File
            Process:C:\Users\user\Desktop\SureDI.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):100313696
            Entropy (8bit):7.999003863277908
            Encrypted:true
            SSDEEP:1572864:yra4sRByRquQj6UVhZGaI3Nsyx7PzknS9WjaGlL33Kbv985rlycizplV6b:Ca4esRqHtVhZGaIdl7PzkS9JK3C8f+l
            MD5:1A6A5DBFD0A009F1D1738EB4ABD18316
            SHA1:6D1598D23209AEC395263376F6FB753100031CAE
            SHA-256:E8EE9C2BA8F88C3A4C6D3221327C0242C17AD9204F6830E12ADFBE6E00981B20
            SHA-512:1A7AFC15ADF96C0BFF2749FF8E61EF64E88636994A7D63EAAF47EAA393B4023441EDBE56D0F4F230665205BFA6520452FE949849917AB32FC1D5CBB43ADF347C
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.~...-...-...-.v.-...-.v.-...-.w.-...-.w.-...-..|-...-.w.-S..-..y-...-...-...-.v.-&..-.v.-...-..W-...-.v.-...-Rich...-........PE..L.....yY.................F...................`....@..........................`.......v...............................................`..<...........h}...,...........f..8...............................@............`...............................text...uD.......F.................. ..`.rdata..jf...`...h...J..............@..@.data...8........(..................@....rsrc...<....`......................@..@................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\SureDI.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\_ISMSIDEL.INI

            Download File
            Process:C:\Users\user\Desktop\SureDI.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):20
            Entropy (8bit):2.8954618442383215
            Encrypted:false
            SSDEEP:3:Q+5lkrJ4l49:Q+s2l49
            MD5:DB9AF7503F195DF96593AC42D5519075
            SHA1:1B487531BAD10F77750B8A50ACA48593379E5F56
            SHA-256:0A33C5DFFABCF31A1F6802026E9E2EEF4B285E57FD79D52FDCD98D6502D14B13
            SHA-512:6839264E14576FE190260A4B82AFC11C88E50593A20113483851BF4ABFDB7CCA9986BEF83F4C6B8F98EF4D426F07024CF869E8AB393DF6D2B743B9B8E2544E1B
            Malicious:false
            Preview:..[.F.i.l.e.s.].....

            C:\Users\user\AppData\Local\Temp\~E424.tmp

            Download File
            Process:C:\Users\user\Desktop\SureDI.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):5242
            Entropy (8bit):3.716767768245152
            Encrypted:false
            SSDEEP:96:rEhkMaEY4S/iWONvXsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAML:YhcWS/8cuQaEZhdxoIWRGcQbPr/p005L
            MD5:9342404BFAF486C2A4EFE42048A084AB
            SHA1:B1B87A59009807D64F6B5CC0FDF59997FFDACD3E
            SHA-256:BC888810AEE7F64C8AEEE7A3D3FC69B63ADFF951675CF801E06A570EDA45BCFF
            SHA-512:D0AB86F84B24CBA3B279377A591E51158D733E900A769ED42E5BDC3137413E45D9CABF5E575E07DECD81D3C46E567DFD5BE880798E407276D0BE27641635689B
            Malicious:false
            Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.2.....P.r.o.d.u.c.t.=.R.i.g.a.k.u. .S.u.r.e.D.I.....P.a.c.k.a.g.e.N.a.m.e.=.R.i.g.a.k.u. .S.u.r.e.D.I...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.N.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.1.2.2.2.6.5.7.4.-.5.2.C.C.-.4.8.3.F.-.8.D.B.0.-.E.6.1.7.C.9.1.F.0.4.D.0.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...0...2.1...0.....U.p.g.r.a.d.e.C.o.d.e.=.{.D.0.6.C.1.5.3.5.-.3.E.1.2.-.4.0.B.3.-.B.5.9.6.-.3.9.3.F.D.C.A.C.1.1.9.4.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.S.u.r.e.D.I...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.5.1.A.2.C.E.2.3.-.9.9.2.0.-.4.B.3.7.-.A.1.3.1.-.F.

            C:\Users\user\AppData\Local\Temp\~E425.tmp

            Download File
            Process:C:\Users\user\Desktop\SureDI.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:modified
            Size (bytes):5242
            Entropy (8bit):3.716767768245152
            Encrypted:false
            SSDEEP:96:rEhkMaEY4S/iWONvXsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAML:YhcWS/8cuQaEZhdxoIWRGcQbPr/p005L
            MD5:9342404BFAF486C2A4EFE42048A084AB
            SHA1:B1B87A59009807D64F6B5CC0FDF59997FFDACD3E
            SHA-256:BC888810AEE7F64C8AEEE7A3D3FC69B63ADFF951675CF801E06A570EDA45BCFF
            SHA-512:D0AB86F84B24CBA3B279377A591E51158D733E900A769ED42E5BDC3137413E45D9CABF5E575E07DECD81D3C46E567DFD5BE880798E407276D0BE27641635689B
            Malicious:false
            Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.2.....P.r.o.d.u.c.t.=.R.i.g.a.k.u. .S.u.r.e.D.I.....P.a.c.k.a.g.e.N.a.m.e.=.R.i.g.a.k.u. .S.u.r.e.D.I...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.N.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.1.2.2.2.6.5.7.4.-.5.2.C.C.-.4.8.3.F.-.8.D.B.0.-.E.6.1.7.C.9.1.F.0.4.D.0.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...0...2.1...0.....U.p.g.r.a.d.e.C.o.d.e.=.{.D.0.6.C.1.5.3.5.-.3.E.1.2.-.4.0.B.3.-.B.5.9.6.-.3.9.3.F.D.C.A.C.1.1.9.4.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.S.u.r.e.D.I...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.5.1.A.2.C.E.2.3.-.9.9.2.0.-.4.B.3.7.-.A.1.3.1.-.F.

            C:\Users\user\AppData\Local\Temp\~E676.tmp

            Download File
            Process:C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):5242
            Entropy (8bit):3.716767768245152
            Encrypted:false
            SSDEEP:96:rEhkMaEY4S/iWONvXsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAML:YhcWS/8cuQaEZhdxoIWRGcQbPr/p005L
            MD5:9342404BFAF486C2A4EFE42048A084AB
            SHA1:B1B87A59009807D64F6B5CC0FDF59997FFDACD3E
            SHA-256:BC888810AEE7F64C8AEEE7A3D3FC69B63ADFF951675CF801E06A570EDA45BCFF
            SHA-512:D0AB86F84B24CBA3B279377A591E51158D733E900A769ED42E5BDC3137413E45D9CABF5E575E07DECD81D3C46E567DFD5BE880798E407276D0BE27641635689B
            Malicious:false
            Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.2.....P.r.o.d.u.c.t.=.R.i.g.a.k.u. .S.u.r.e.D.I.....P.a.c.k.a.g.e.N.a.m.e.=.R.i.g.a.k.u. .S.u.r.e.D.I...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.N.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.1.2.2.2.6.5.7.4.-.5.2.C.C.-.4.8.3.F.-.8.D.B.0.-.E.6.1.7.C.9.1.F.0.4.D.0.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...0...2.1...0.....U.p.g.r.a.d.e.C.o.d.e.=.{.D.0.6.C.1.5.3.5.-.3.E.1.2.-.4.0.B.3.-.B.5.9.6.-.3.9.3.F.D.C.A.C.1.1.9.4.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.S.u.r.e.D.I...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.5.1.A.2.C.E.2.3.-.9.9.2.0.-.4.B.3.7.-.A.1.3.1.-.F.

            C:\Users\user\AppData\Local\Temp\~E677.tmp

            Download File
            Process:C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):5242
            Entropy (8bit):3.716767768245152
            Encrypted:false
            SSDEEP:96:rEhkMaEY4S/iWONvXsEbFWaEPRhS+gWPQPgWRGTwQbPrvnp6kY05w7tCYOvlnAML:YhcWS/8cuQaEZhdxoIWRGcQbPr/p005L
            MD5:9342404BFAF486C2A4EFE42048A084AB
            SHA1:B1B87A59009807D64F6B5CC0FDF59997FFDACD3E
            SHA-256:BC888810AEE7F64C8AEEE7A3D3FC69B63ADFF951675CF801E06A570EDA45BCFF
            SHA-512:D0AB86F84B24CBA3B279377A591E51158D733E900A769ED42E5BDC3137413E45D9CABF5E575E07DECD81D3C46E567DFD5BE880798E407276D0BE27641635689B
            Malicious:false
            Preview:..[.I.n.f.o.].....N.a.m.e.=.I.N.T.L.....V.e.r.s.i.o.n.=.1...0.0...0.0.0.....D.i.s.k.S.p.a.c.e.=.8.0.0.0...;.D.i.s.k.S.p.a.c.e. .r.e.q.u.i.r.e.m.e.n.t. .i.n. .K.B.........[.S.t.a.r.t.u.p.].....C.m.d.L.i.n.e.=.....S.u.p.p.r.e.s.s.W.r.o.n.g.O.S.=.Y.....S.c.r.i.p.t.D.r.i.v.e.n.=.0.....S.c.r.i.p.t.V.e.r.=.1...0...0...1.....D.o.t.N.e.t.O.p.t.i.o.n.a.l.I.n.s.t.a.l.l.I.f.S.i.l.e.n.t.=.N.....O.n.U.p.g.r.a.d.e.=.2.....P.r.o.d.u.c.t.=.R.i.g.a.k.u. .S.u.r.e.D.I.....P.a.c.k.a.g.e.N.a.m.e.=.R.i.g.a.k.u. .S.u.r.e.D.I...m.s.i.....E.n.a.b.l.e.L.a.n.g.D.l.g.=.N.....L.o.g.R.e.s.u.l.t.s.=.N.....D.o.M.a.i.n.t.e.n.a.n.c.e.=.N.....P.r.o.d.u.c.t.C.o.d.e.=.{.1.2.2.2.6.5.7.4.-.5.2.C.C.-.4.8.3.F.-.8.D.B.0.-.E.6.1.7.C.9.1.F.0.4.D.0.}.....P.r.o.d.u.c.t.V.e.r.s.i.o.n.=.1...0...2.1...0.....U.p.g.r.a.d.e.C.o.d.e.=.{.D.0.6.C.1.5.3.5.-.3.E.1.2.-.4.0.B.3.-.B.5.9.6.-.3.9.3.F.D.C.A.C.1.1.9.4.}.....L.a.u.n.c.h.e.r.N.a.m.e.=.S.u.r.e.D.I...e.x.e.....P.a.c.k.a.g.e.C.o.d.e.=.{.5.1.A.2.C.E.2.3.-.9.9.2.0.-.4.B.3.7.-.A.1.3.1.-.F.

            C:\Windows\Installer\4d26bb.msi

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Rigaku SureDI, Author: Rigaku corporation, Security: 1, Number of Pages: 500, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Wed Sep 20 12:13:16 2023, Create Time/Date: Wed Sep 20 12:13:16 2023, Last Printed: Wed Sep 20 12:13:16 2023, Revision Number: {51A2CE23-9920-4B37-A131-F84FF84F0C0E}, Code page: 0, Template: x64;0,1033,1041
            Category:dropped
            Size (bytes):100685312
            Entropy (8bit):7.992972509961141
            Encrypted:true
            SSDEEP:1572864:QjXAXkIWhNpqLnKEOxAIRIacb9jNJT0wMydVzjqsAfsUrhcpGRL7CxY3G+XwY:QMXkBrqLBO/RIv9fT9HXcsUEGBGxYHV
            MD5:54CF529004F9E922D18F1BE812B01C70
            SHA1:9D30C52702EA2B9F83364B636E28951C068670D8
            SHA-256:EE22DB01767679BAFA8DB33DD37010B0F1F1BED2C89C1C179E45096982EFDB30
            SHA-512:8947072EB2148246124BF678FB6F848934A4A07329C0E22D8BCCDC8D27DF22862EFF1493B9775B80CE4351D84CC4ADED5954F19AB0D9610BEBE6F354F77E5860
            Malicious:false
            Preview:......................>...................................8........6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;.......................................................................................................%........... ...!..."...#...$...'...&...1...(.......*...+...,...-......./...0...3...2...5...4...I...6...7...>...M...:...<.......=.......?...@...A...B...C...D...E...F...G...H...L...J..._.......N.......O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^...a...`...q...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...s...r...}...t...u...v...w...x...y...z...

            C:\Windows\Installer\4d26bc.mst

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: Rigaku SureDI, Author: Rigaku corporation, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Wed Sep 20 12:13:16 2023, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Security: 1, Template: x64;0,1033,1041, Last Saved By: x64;0, Revision Number: {12226574-52CC-483F-8DB0-E617C91F04D0}1.0.21.0;{12226574-52CC-483F-8DB0-E617C91F04D0}1.0.21.0;{D06C1535-3E12-40B3-B596-393FDCAC1194}, Number of Pages: 500, Number of Characters: 1
            Category:dropped
            Size (bytes):32768
            Entropy (8bit):4.385352392983626
            Encrypted:false
            SSDEEP:192:TcjOfj5NyQDbnPvy2sE9jBF6IYiYF8pA5K+o07KCT87QGRwjKa5:TcMNyQH38E9VF6IYinAM+oGKCga
            MD5:2B7D037A808E9051E98EF0DD4C644975
            SHA1:A42A87AD97BA65350439ED00F045AD3AED48DA56
            SHA-256:DCEF253EA41D7E67B8F8D526085EBA1D00045850FAD2315E26BF826C3993D2B8
            SHA-512:770367E92E7480D64EB655F67A86E64252C3DD74546C09543B214951D5FCF303A25107B3319B2ACAE121D808E2C9C9B013B018E08A89ADB46E5EBA576A721E99
            Malicious:false
            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Installer\4d26be.msi

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Rigaku SureDI, Author: Rigaku corporation, Security: 1, Number of Pages: 500, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Wed Sep 20 12:13:16 2023, Create Time/Date: Wed Sep 20 12:13:16 2023, Last Printed: Wed Sep 20 12:13:16 2023, Revision Number: {51A2CE23-9920-4B37-A131-F84FF84F0C0E}, Code page: 0, Template: x64;0,1033,1041
            Category:dropped
            Size (bytes):100685312
            Entropy (8bit):7.992972509961141
            Encrypted:true
            SSDEEP:1572864:QjXAXkIWhNpqLnKEOxAIRIacb9jNJT0wMydVzjqsAfsUrhcpGRL7CxY3G+XwY:QMXkBrqLBO/RIv9fT9HXcsUEGBGxYHV
            MD5:54CF529004F9E922D18F1BE812B01C70
            SHA1:9D30C52702EA2B9F83364B636E28951C068670D8
            SHA-256:EE22DB01767679BAFA8DB33DD37010B0F1F1BED2C89C1C179E45096982EFDB30
            SHA-512:8947072EB2148246124BF678FB6F848934A4A07329C0E22D8BCCDC8D27DF22862EFF1493B9775B80CE4351D84CC4ADED5954F19AB0D9610BEBE6F354F77E5860
            Malicious:false
            Preview:......................>...................................8........6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;.......................................................................................................%........... ...!..."...#...$...'...&...1...(.......*...+...,...-......./...0...3...2...5...4...I...6...7...>...M...:...<.......=.......?...@...A...B...C...D...E...F...G...H...L...J..._.......N.......O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^...a...`...q...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...s...r...}...t...u...v...w...x...y...z...

            C:\Windows\Installer\MSI360D.tmp

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):400136
            Entropy (8bit):6.094339539508556
            Encrypted:false
            SSDEEP:
            MD5:868606DA1068A28072B6F08D1E34049B
            SHA1:237F3D5BF60FFF98840E1CF5D311C8EF0024D9F4
            SHA-256:66C734082D993E4B166E19B0C451CAC2B817445C2DBABAE9F187694788D4BD7B
            SHA-512:F775258CE855EBAF2FCDA08E033ABC2D538CB8784B9B5C688B20492F995DC4AB3A3586BF88ADD050F4391FE43AAFFD199F88A89A11672A4D7F928AD69FDB15D5
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KF...'...'...'....v..'....u..'....u.d'....t.7'..._8..'..._(..'...'...&....t..'....q..'....r..'....w..'..Rich.'..........PE..L...a.yY...........!................HU.......................................@......................................p...................@................-......<)..................................P...@............................................text............................... ..`.rdata..............................@..@.data....6..........................@....rsrc...@...........................@..@.reloc...W.......X..................@..B................................................................................................................................................................................................................................................................................................................

            C:\Windows\Installer\MSI36C9.tmp

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:data
            Category:dropped
            Size (bytes):1225491
            Entropy (8bit):6.133522633626216
            Encrypted:false
            SSDEEP:
            MD5:C9DA3C2D904F3446AF5EAEC8F1B22E0A
            SHA1:EEDC2DA9BB85456ACBA0CA31646FFA211DF7D6D0
            SHA-256:54E11E0D36EAD69CDCF7CB15D53CD903CFE71E834E244402E7B885951115CCC4
            SHA-512:75F2FCE15A95DEE129C384A487EB097BBFF1D84FBB02B8ACA9F7BB72F57283BD2A0AA359FF7B85E38C8413737979AABC2B5D1ABD0F9E950CD82C723E7B0E5B35
            Malicious:false
            Preview:...@IXOS.@.....@s2AY.@.....@.....@.....@.....@.....@......&.{12226574-52CC-483F-8DB0-E617C91F04D0}..Rigaku SureDI..Rigaku SureDI.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{51A2CE23-9920-4B37-A131-F84FF84F0C0E}.....@.....@.....@.....@.......@.....@.....@.......@......Rigaku SureDI......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@`....@.....@.]....&.{7BDD2407-5B3B-4A1E-B7D3-0D77EA14F0DE}..C:\Program Files\Rigaku\SureDI\SureDI.v1.0.exe.@.......@.....@.....@......&.{F5EA3BFD-84A7-44F6-9EC1-6AE17B144558}'.C:\Program Files\Rigaku\SureDI\License\.@.......@.....@.....@......&.{27AA3830-2F09-4373-A4DA-B451D96BFA29}(.C:\Program Files\Rigaku\SureDI\SQLQuery\.@.......@.....@.....@......&.{6EDD79DC-EF94-42D4-8298-3F945FA68E90}..C:\Program Files\Rigaku\SureDI\.@.......@.....@.....@......&.{41BC3AC2-727C-4588-B3F8-E2E703BF1651}...@.......@.....@.....@......&.{4B1B521F-A83F-4931

            C:\Windows\Installer\MSI6BC5.tmp

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):321320
            Entropy (8bit):6.058356308483922
            Encrypted:false
            SSDEEP:
            MD5:8F40C4884C8D153FC624A111268EE315
            SHA1:DA29B2B989C639C44D126CDD22839CA774CA0D89
            SHA-256:EF276C4B6E697BAC16044702E15D9FE944A730A0A27CA86FC8E919F808396759
            SHA-512:C65FD4184A3AB59D35A259B32EC18BF0FD047C2E3ED01519A0989E84F194A5A3DCFD4BA2CFC79F4E40AE3DDB43D503CD933F2F408F9809F9E6D571F4EF3BB12C
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{.............r......N....h.z...{........m.p.......y.......z.......z...{.C.z.......z...Rich{...........................PE..d...(.yY.........." .........,........................................................... ..........................................v......Pm..x.......0........!......(-...........................................(..p...............8............................text.../........................... ..`.rdata..............................@..@.data....=...........t..............@....pdata...!......."..................@..@.rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

            C:\Windows\Installer\MSI8CAC.tmp

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):400136
            Entropy (8bit):6.094339539508556
            Encrypted:false
            SSDEEP:
            MD5:868606DA1068A28072B6F08D1E34049B
            SHA1:237F3D5BF60FFF98840E1CF5D311C8EF0024D9F4
            SHA-256:66C734082D993E4B166E19B0C451CAC2B817445C2DBABAE9F187694788D4BD7B
            SHA-512:F775258CE855EBAF2FCDA08E033ABC2D538CB8784B9B5C688B20492F995DC4AB3A3586BF88ADD050F4391FE43AAFFD199F88A89A11672A4D7F928AD69FDB15D5
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KF...'...'...'....v..'....u..'....u.d'....t.7'..._8..'..._(..'...'...&....t..'....q..'....r..'....w..'..Rich.'..........PE..L...a.yY...........!................HU.......................................@......................................p...................@................-......<)..................................P...@............................................text............................... ..`.rdata..............................@..@.data....6..........................@....rsrc...@...........................@..@.reloc...W.......X..................@..B................................................................................................................................................................................................................................................................................................................

            C:\Windows\Installer\SourceHash{12226574-52CC-483F-8DB0-E617C91F04D0}

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Composite Document File V2 Document, Cannot read section info
            Category:dropped
            Size (bytes):20480
            Entropy (8bit):1.1655211095256601
            Encrypted:false
            SSDEEP:
            MD5:B3767C406D7365BC8AB7CCE9A7C37584
            SHA1:5924188BB4C2C70EF49DB3129E5B3A41C835E153
            SHA-256:E1794AACBBFDF555A2758B360D48B6D8F2950E7927A9B404919D50D79E602E98
            SHA-512:4CFA86FFF0602A55EC3A19E2B5B8897525A84EE3E30D76D18CBD729F974E36E774269F8433D30D035E3F64A09124A96823ABF525ADD5D49328E192372E79E231
            Malicious:false
            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Installer\inprogressinstallinfo.ipi

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Composite Document File V2 Document, Cannot read section info
            Category:dropped
            Size (bytes):24576
            Entropy (8bit):2.082242328150258
            Encrypted:false
            SSDEEP:
            MD5:C5D1C28F6734E3FC7856CB49004C6EF9
            SHA1:0ED262A26B41C15FB24BD95D0F97990A2003757E
            SHA-256:BE20202505FF1B7B83149E9347AFB25E12E3A6CA12FF7580AB39B6D2D0C363EA
            SHA-512:DE7F91C978CE3F984914B6C066ED7F9A46F76C0E387AC0522AED7DB2ECC9D71316DB9E3D81FB7959CDE472BFE464CB2B7283BE0B293A81033B2B8F2BECF5379D
            Malicious:false
            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\1033.MST

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: Rigaku SureDI, Author: Rigaku corporation, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Wed Sep 20 12:13:16 2023, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Security: 1, Template: x64;0,1033,1041, Last Saved By: x64;0, Revision Number: {12226574-52CC-483F-8DB0-E617C91F04D0}1.0.21.0;{12226574-52CC-483F-8DB0-E617C91F04D0}1.0.21.0;{D06C1535-3E12-40B3-B596-393FDCAC1194}, Number of Pages: 500, Number of Characters: 1
            Category:dropped
            Size (bytes):32768
            Entropy (8bit):4.385352392983626
            Encrypted:false
            SSDEEP:
            MD5:2B7D037A808E9051E98EF0DD4C644975
            SHA1:A42A87AD97BA65350439ED00F045AD3AED48DA56
            SHA-256:DCEF253EA41D7E67B8F8D526085EBA1D00045850FAD2315E26BF826C3993D2B8
            SHA-512:770367E92E7480D64EB655F67A86E64252C3DD74546C09543B214951D5FCF303A25107B3319B2ACAE121D808E2C9C9B013B018E08A89ADB46E5EBA576A721E99
            Malicious:false
            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Installer\{12226574-52CC-483F-8DB0-E617C91F04D0}\ARPPRODUCTICON.exe

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):85232
            Entropy (8bit):6.050063798292067
            Encrypted:false
            SSDEEP:
            MD5:2EA365BE74472FAD49C612ADD3EE42CF
            SHA1:21403746F0E37E8F64D4922E363842D02541DB1F
            SHA-256:52545819E5790CC1DBF06296CE71167E951D1CA69562EB497FE0CF6AB0BBFC17
            SHA-512:48DD944E90D23213CEA782974BE1977B1E0811925FFAC86B2D9EFBED84E2F88BA04BCDBC6A210DB898B842AF65E54B6648A243A65A0FB0D53C83F6C26C57FB60
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...q.yY.................@...................P....@.......................... ......QW......................................4T..(.................... ...,...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):432221
            Entropy (8bit):5.3751687761988265
            Encrypted:false
            SSDEEP:
            MD5:CEB8839A3AF9FBF71B57C72F9D695B54
            SHA1:2E7EB05C9D322B7D51C36421BF297861006C9F27
            SHA-256:47B8C02FA80648A785F5E5AE773CAE486822354D8D92DC4F16775D7F070B658E
            SHA-512:236148E56DB7EF597AF144304DD4CB46DFFF0ABEC685DB58F3E3E1F8DC6D4267E912AB22D0383052A3B912FBE3A0AEA141C9A9DACF1BDA9E7E6C652E4419B567
            Malicious:false
            Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

            Download File
            Process:C:\Windows\System32\svchost.exe
            File Type:JSON data
            Category:dropped
            Size (bytes):55
            Entropy (8bit):4.306461250274409
            Encrypted:false
            SSDEEP:
            MD5:DCA83F08D448911A14C22EBCACC5AD57
            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
            Malicious:false
            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

            C:\Windows\System32\msvcr100.dll

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):829264
            Entropy (8bit):6.55381739669424
            Encrypted:false
            SSDEEP:
            MD5:DF3CA8D16BDED6A54977B30E66864D33
            SHA1:B7B9349B33230C5B80886F5C1F0A42848661C883
            SHA-256:1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36
            SHA-512:951B2F67C2F2EF1CFCD4B43BD3EE0E486CDBA7D04B4EA7259DF0E4B3112E360AEFB8DCD058BECCCACD99ACA7F56D4F9BD211075BD16B28C2661D562E50B423F0
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........pm...>...>...>..>...>...>F..>...>...>...>..>...>..>...>D..>...>...>...>...>...>...>Rich...>........................PE..d...J._M.........." ..........................sy............................. ............@.........................................pt.......`..(...............pb......P............................................................................................text...F........................... ..`.rdata..............................@..@.data...L}... ...R..................@....pdata..pb.......d...Z..............@..@_CONST..............................@...text.....2... ...4..................@.. data.........`......................@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................

            C:\Windows\Temp\~DF10337A41B8C17FFD.TMP

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Composite Document File V2 Document, Cannot read section info
            Category:dropped
            Size (bytes):49152
            Entropy (8bit):1.3510695367360097
            Encrypted:false
            SSDEEP:
            MD5:B707D9699B6381BD65E449D2DAC0A10B
            SHA1:7CEF149CA5117B9925208552C6058BAF1C65CAE2
            SHA-256:4E779BEBA2A2377FE0587EAD66E531A451FC111B20CC781F6E92B667DC947483
            SHA-512:F7831DA6B2186BE40531EEC106C6E4C9EDBAB8594433F984EEF73422DCCAF5C5A3CF255E6C14C409F6064C6464AF753845759C6B0EDA7C3AA63290B907AAA38D
            Malicious:false
            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Temp\~DF428011A10C3E6C64.TMP

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:data
            Category:dropped
            Size (bytes):512
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:
            MD5:BF619EAC0CDF3F68D496EA9344137E8B
            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
            Malicious:false
            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Temp\~DF4CA4E2ECA3E38801.TMP

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:data
            Category:dropped
            Size (bytes):512
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:
            MD5:BF619EAC0CDF3F68D496EA9344137E8B
            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
            Malicious:false
            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Temp\~DF5198E800E8414A05.TMP

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:data
            Category:dropped
            Size (bytes):512
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:
            MD5:BF619EAC0CDF3F68D496EA9344137E8B
            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
            Malicious:false
            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Temp\~DF5EEC8B883E22FC3C.TMP

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:data
            Category:dropped
            Size (bytes):73728
            Entropy (8bit):0.4134651760207577
            Encrypted:false
            SSDEEP:
            MD5:696368086C9A4734F1F9A00D5B6839B1
            SHA1:B4AAF0FE08765EFCB15E4C4092FD9E9284AF0364
            SHA-256:1F7D7D10EF11F1284DC26EF847B0E889FA5BB89E543CB023B05F91F4E62486D8
            SHA-512:003F8A3BFB96E5BD8A0A0DFBE4E4688482E65101A4E0F315B39577D4D93A65A22666B6B7E6ADC100E479FA8F206EAE05C33BB5036B12BE3ABEB1C0D0FD39F340
            Malicious:false
            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Temp\~DF87DE8252F28F03ED.TMP

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:data
            Category:modified
            Size (bytes):512
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:
            MD5:BF619EAC0CDF3F68D496EA9344137E8B
            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
            Malicious:false
            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Temp\~DF8E6C0E6E84FC55EE.TMP

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:data
            Category:dropped
            Size (bytes):32768
            Entropy (8bit):0.07295654516939493
            Encrypted:false
            SSDEEP:
            MD5:4CDEDBD387F5AAE32E9EC51B524E5D8C
            SHA1:3C15FA972EE654299FBF4AE585ABF4C3BAFDF2C3
            SHA-256:9F919479F6962877333F578D142BD2576A8050993755B23928BDD8E19341018D
            SHA-512:A248E265FCA6F328937644765249795E4166919F7062F26D973C6E7AE1F6242839942442ACC428725D9FF7C34D578420820DAA016A24512FD0BE5702367122A6
            Malicious:false
            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Temp\~DFB735F06FEC317F86.TMP

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Composite Document File V2 Document, Cannot read section info
            Category:dropped
            Size (bytes):49152
            Entropy (8bit):1.3510695367360097
            Encrypted:false
            SSDEEP:
            MD5:B707D9699B6381BD65E449D2DAC0A10B
            SHA1:7CEF149CA5117B9925208552C6058BAF1C65CAE2
            SHA-256:4E779BEBA2A2377FE0587EAD66E531A451FC111B20CC781F6E92B667DC947483
            SHA-512:F7831DA6B2186BE40531EEC106C6E4C9EDBAB8594433F984EEF73422DCCAF5C5A3CF255E6C14C409F6064C6464AF753845759C6B0EDA7C3AA63290B907AAA38D
            Malicious:false
            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Temp\~DFBC11E6F989F90E51.TMP

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Composite Document File V2 Document, Cannot read section info
            Category:dropped
            Size (bytes):24576
            Entropy (8bit):2.082242328150258
            Encrypted:false
            SSDEEP:
            MD5:C5D1C28F6734E3FC7856CB49004C6EF9
            SHA1:0ED262A26B41C15FB24BD95D0F97990A2003757E
            SHA-256:BE20202505FF1B7B83149E9347AFB25E12E3A6CA12FF7580AB39B6D2D0C363EA
            SHA-512:DE7F91C978CE3F984914B6C066ED7F9A46F76C0E387AC0522AED7DB2ECC9D71316DB9E3D81FB7959CDE472BFE464CB2B7283BE0B293A81033B2B8F2BECF5379D
            Malicious:false
            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Temp\~DFCB01ED48CFB74692.TMP

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:data
            Category:dropped
            Size (bytes):512
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:
            MD5:BF619EAC0CDF3F68D496EA9344137E8B
            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
            Malicious:false
            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Temp\~DFD5A66525C5DA0E80.TMP

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Composite Document File V2 Document, Cannot read section info
            Category:dropped
            Size (bytes):49152
            Entropy (8bit):1.3510695367360097
            Encrypted:false
            SSDEEP:
            MD5:B707D9699B6381BD65E449D2DAC0A10B
            SHA1:7CEF149CA5117B9925208552C6058BAF1C65CAE2
            SHA-256:4E779BEBA2A2377FE0587EAD66E531A451FC111B20CC781F6E92B667DC947483
            SHA-512:F7831DA6B2186BE40531EEC106C6E4C9EDBAB8594433F984EEF73422DCCAF5C5A3CF255E6C14C409F6064C6464AF753845759C6B0EDA7C3AA63290B907AAA38D
            Malicious:false
            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\Temp\~DFED10223112448B4E.TMP

            Download File
            Process:C:\Windows\System32\msiexec.exe
            File Type:Composite Document File V2 Document, Cannot read section info
            Category:dropped
            Size (bytes):24576
            Entropy (8bit):2.082242328150258
            Encrypted:false
            SSDEEP:
            MD5:C5D1C28F6734E3FC7856CB49004C6EF9
            SHA1:0ED262A26B41C15FB24BD95D0F97990A2003757E
            SHA-256:BE20202505FF1B7B83149E9347AFB25E12E3A6CA12FF7580AB39B6D2D0C363EA
            SHA-512:DE7F91C978CE3F984914B6C066ED7F9A46F76C0E387AC0522AED7DB2ECC9D71316DB9E3D81FB7959CDE472BFE464CB2B7283BE0B293A81033B2B8F2BECF5379D
            Malicious:false
            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.999003863277908
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:SureDI.exe
            File size:100'313'696 bytes
            MD5:1a6a5dbfd0a009f1d1738eb4abd18316
            SHA1:6d1598d23209aec395263376f6fb753100031cae
            SHA256:e8ee9c2ba8f88c3a4c6d3221327c0242c17ad9204f6830e12adfbe6e00981b20
            SHA512:1a7afc15adf96c0bff2749ff8e61ef64e88636994a7d63eaaf47eaa393b4023441edbe56d0f4f230665205bfa6520452fe949849917ab32fc1d5cbb43adf347c
            SSDEEP:1572864:yra4sRByRquQj6UVhZGaI3Nsyx7PzknS9WjaGlL33Kbv985rlycizplV6b:Ca4esRqHtVhZGaIdl7PzkS9JK3C8f+l
            TLSH:13283313B880903ED2A606321C6FEEB406753DBB9636451AB258FF0D3EF4591B927F46
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U..~...-...-...-.v.-...-.v.-...-.w.-...-.w.-...-..|-...-.w.-S..-..y-...-...-...-.v.-&..-.v.-...-..W-...-.v.-...-Rich...-.......

            File Icon

            Icon Hash:55497933cc61714d

            Static PE Info

            General

            Entrypoint:0x4580fc
            Entrypoint Section:.text
            Digitally signed:true
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
            Time Stamp:0x5979EF00 [Thu Jul 27 13:47:44 2017 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:62c62c4f0cbff3f5300c1f4f9c4854ea

            Authenticode Signature

            Signature Valid:true
            Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
            Signature Validation Error:The operation completed successfully
            Error Number:0
            Not Before, Not After
            • 12/01/2022 00:00:00 11/01/2024 23:59:59
            Subject Chain
            • CN=Rigaku Corporation, OU=X-ray Instrument Division, O=Rigaku Corporation, L=AKISHIMA-SHI, S=TOKYO, C=JP
            Version:3
            Thumbprint MD5:98EC7FBE925E507AF35FC85C9C23F248
            Thumbprint SHA-1:B8B285C6902CF2A4D6726407135CBAF6DFD242DD
            Thumbprint SHA-256:4F551B1F7A17B1F52D7B4A717502778815B13F9BB96D7DFAB5173B111D778F83
            Serial:03E0BA25D1AFB9CEA6BD2736F8429813

            Entrypoint Preview

            Instruction
            call 00007F84F87ED0D2h
            jmp 00007F84F87DE25Eh
            push ebp
            mov ebp, esp
            mov eax, dword ptr [ebp+14h]
            push esi
            test eax, eax
            je 00007F84F87DE45Eh
            cmp dword ptr [ebp+08h], 00000000h
            jne 00007F84F87DE435h
            call 00007F84F87DC80Eh
            push 00000016h
            pop esi
            mov dword ptr [eax], esi
            call 00007F84F87E10BEh
            mov eax, esi
            jmp 00007F84F87DE447h
            cmp dword ptr [ebp+10h], 00000000h
            je 00007F84F87DE409h
            cmp dword ptr [ebp+0Ch], eax
            jnc 00007F84F87DE42Bh
            call 00007F84F87DC7F0h
            push 00000022h
            jmp 00007F84F87DE402h
            push eax
            push dword ptr [ebp+10h]
            push dword ptr [ebp+08h]
            call 00007F84F87DA29Bh
            add esp, 0Ch
            xor eax, eax
            pop esi
            pop ebp
            ret
            push ebp
            mov ebp, esp
            xor edx, edx
            mov eax, edx
            cmp dword ptr [ebp+0Ch], eax
            jbe 00007F84F87DE433h
            mov ecx, dword ptr [ebp+08h]
            cmp word ptr [ecx], dx
            je 00007F84F87DE42Bh
            inc eax
            add ecx, 02h
            cmp eax, dword ptr [ebp+0Ch]
            jc 00007F84F87DE414h
            pop ebp
            ret
            push ebp
            mov ebp, esp
            and dword ptr [004F3D38h], 00000000h
            sub esp, 10h
            push ebx
            xor ebx, ebx
            inc ebx
            or dword ptr [004EDAE0h], ebx
            push 0000000Ah
            call 00007F84F8823D06h
            test eax, eax
            je 00007F84F87DE534h
            xor ecx, ecx
            mov eax, ebx
            mov dword ptr [004F3D38h], ebx
            cpuid
            push esi
            mov esi, dword ptr [004EDAE0h]
            push edi
            lea edi, dword ptr [ebp-10h]
            or esi, 02h
            mov dword ptr [edi], eax
            mov dword ptr [edi+04h], ebx
            mov dword ptr [edi+08h], ecx
            mov dword ptr [edi+0Ch], edx
            test dword ptr [ebp-08h], 00100000h

            Rich Headers

            Programming Language:
            • [ C ] VS2012 UPD1 build 51106
            • [C++] VS2012 UPD1 build 51106
            • [RES] VS2012 UPD1 build 51106
            • [LNK] VS2012 UPD1 build 51106

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xea9040xc8.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf60000x4f63c.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x5fa7d680x2cf8
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0xb66800x38.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xcfcb00x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0xb60000x584.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xe9fb80xe0.rdata
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000xb44750xb46005b2f045d5298322ba6727de76d54b0d9False0.49386450753638256data6.587096202097185IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0xb60000x3666a0x36800c10b8e7e278c76b696ddbeba1e500f3cFalse0.4162306479357798data5.096488208126698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xed0000x8c380x2800dbd6c9b063d673c81c5bd4d8a1b9d07eFalse0.2900390625data4.454141112988542IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xf60000x4f63c0x4f800b37b9204ef517d8d92df7f184be716b4False0.35502346206761004data6.627779762410984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            GIF0xf6eec0x33a7GIF image data, version 89a, 350 x 6240.9106859260379642
            GIF0xfa2940x339fGIF image data, version 89a, 350 x 624EnglishUnited States0.9129020052970109
            PNG0xfd6340x39edPNG image data, 360 x 150, 8-bit/color RGBA, non-interlaced0.9975723244992919
            PNG0x1010240x2fc9PNG image data, 240 x 227, 8-bit/color RGBA, non-interlaced0.9968119022316685
            RT_BITMAP0x103ff00x14220Device independent bitmap graphic, 220 x 370 x 8, image size 814000.34390764454792394
            RT_BITMAP0x1182100x1b5cDevice independent bitmap graphic, 180 x 75 x 4, image size 69000.18046830382638493
            RT_BITMAP0x119d6c0x38e4Device independent bitmap graphic, 180 x 75 x 8, image size 135000.26689096402087337
            RT_BITMAP0x11d6500x1238Device independent bitmap graphic, 60 x 60 x 8, image size 36000.23499142367066894
            RT_BITMAP0x11e8880x6588Device independent bitmap graphic, 161 x 152 x 8, image size 24928, resolution 3796 x 3796 px/m, 256 important colors0.3035934133579563
            RT_BITMAP0x124e100x11f88Device independent bitmap graphic, 161 x 152 x 24, image size 73568, resolution 3780 x 3780 px/m0.12790729268557766
            RT_ICON0x136d980x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.21341463414634146
            RT_ICON0x1374000x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.34139784946236557
            RT_ICON0x1376e80x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.5202702702702703
            RT_ICON0x1378100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.47334754797441364
            RT_ICON0x1386b80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.6101083032490975
            RT_ICON0x138f600x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.596820809248555
            RT_ICON0x1394c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.2932572614107884
            RT_ICON0x13ba700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4343339587242026
            RT_ICON0x13cb180x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.7198581560283688
            RT_ICON0x13cf800x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.35618279569892475
            RT_ICON0x13d2680x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.42473118279569894
            RT_DIALOG0x13d5500x1cedata0.48917748917748916
            RT_DIALOG0x13d7200x266data0.4527687296416938
            RT_DIALOG0x13d9880x2b0data0.438953488372093
            RT_DIALOG0x13dc380x54data0.6904761904761905
            RT_DIALOG0x13dc8c0x34data0.8846153846153846
            RT_DIALOG0x13dcc00xd6data0.6495327102803738
            RT_DIALOG0x13dd980x114data0.5036231884057971
            RT_DIALOG0x13deac0xd6data0.5841121495327103
            RT_DIALOG0x13df840x246data0.4690721649484536
            RT_DIALOG0x13e1cc0x3c8data0.4194214876033058
            RT_DIALOG0x13e5940x14edata0.5359281437125748
            RT_DIALOG0x13e6e40x1e8data0.49385245901639346
            RT_DIALOG0x13e8cc0x1c6data0.5286343612334802
            RT_DIALOG0x13ea940x1eedata0.49190283400809715
            RT_DIALOG0x13ec840x7cdata0.7580645161290323
            RT_DIALOG0x13ed000x3bcdata0.4372384937238494
            RT_DIALOG0x13f0bc0x158data0.5581395348837209
            RT_DIALOG0x13f2140x1dadata0.5168776371308017
            RT_DIALOG0x13f3f00x10adata0.6015037593984962
            RT_DIALOG0x13f4fc0xdedata0.6441441441441441
            RT_DIALOG0x13f5dc0x1d4data0.5085470085470085
            RT_DIALOG0x13f7b00x1dcdata0.5210084033613446
            RT_DIALOG0x13f98c0x294data0.48787878787878786
            RT_STRING0x13fc200x160dataEnglishUnited States0.5340909090909091
            RT_STRING0x13fd800x23edataEnglishUnited States0.40418118466898956
            RT_STRING0x13ffc00x378dataEnglishUnited States0.4222972972972973
            RT_STRING0x1403380x252dataEnglishUnited States0.4393939393939394
            RT_STRING0x14058c0x1f4dataEnglishUnited States0.442
            RT_STRING0x1407800x66adataEnglishUnited States0.3617539585870889
            RT_STRING0x140dec0x366dataEnglishUnited States0.41379310344827586
            RT_STRING0x1411540x27edataEnglishUnited States0.4561128526645768
            RT_STRING0x1413d40x518dataEnglishUnited States0.39800613496932513
            RT_STRING0x1418ec0x882dataEnglishUnited States0.3002754820936639
            RT_STRING0x1421700x23edataEnglishUnited States0.45121951219512196
            RT_STRING0x1423b00x3badataEnglishUnited States0.3280922431865828
            RT_STRING0x14276c0x12cdataEnglishUnited States0.5266666666666666
            RT_STRING0x1428980x4adataEnglishUnited States0.6756756756756757
            RT_STRING0x1428e40xdadataEnglishUnited States0.6100917431192661
            RT_STRING0x1429c00x110dataEnglishUnited States0.5845588235294118
            RT_STRING0x142ad00x20adataEnglishUnited States0.4521072796934866
            RT_STRING0x142cdc0xbaMatlab v4 mat-file (little endian) P, numeric, rows 0, columns 0EnglishUnited States0.5860215053763441
            RT_STRING0x142d980xa8dataEnglishUnited States0.6607142857142857
            RT_STRING0x142e400x12adataEnglishUnited States0.5201342281879194
            RT_STRING0x142f6c0x422dataEnglishUnited States0.2741020793950851
            RT_STRING0x1433900x5c2dataEnglishUnited States0.37720488466757124
            RT_STRING0x1439540x40dataEnglishUnited States0.671875
            RT_STRING0x1439940xcaadataEnglishUnited States0.2313386798272671
            RT_STRING0x1446400x284dataEnglishUnited States0.4363354037267081
            RT_GROUP_ICON0x1448c40x84data0.6363636363636364
            RT_GROUP_ICON0x1449480x14data1.25
            RT_GROUP_ICON0x14495c0x14data1.25
            RT_VERSION0x1449700x424data0.4179245283018868
            RT_MANIFEST0x144d940x626XML 1.0 document, ASCII text, with CRLF line terminators0.44472681067344344
            RT_MANIFEST0x1453bc0x280XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.553125

            Imports

            DLLImport
            COMCTL32.dll
            KERNEL32.dllCompareStringA, FreeLibrary, LoadLibraryW, lstrcmpW, lstrcmpiW, GetSystemDefaultLangID, GetUserDefaultLangID, VerLanguageNameW, CompareFileTime, CreateDirectoryW, FindClose, FindFirstFileW, FindNextFileW, SetFileAttributesW, GetSystemTimeAsFileTime, GetPrivateProfileStringW, MoveFileW, LocalFree, FormatMessageW, GetSystemInfo, MulDiv, RaiseException, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LoadLibraryExW, GetVersion, GetLocalTime, IsValidLocale, GetCommandLineW, GetFileAttributesW, FlushFileBuffers, SetEndOfFile, VirtualQuery, lstrcpyA, IsBadReadPtr, GetDiskFreeSpaceExW, GetDriveTypeW, GetExitCodeProcess, GetCurrentThread, GetLocaleInfoW, InterlockedExchange, LoadLibraryExA, DecodePointer, LCMapStringW, RtlUnwind, IsDebuggerPresent, MoveFileExW, WriteProcessMemory, VirtualProtectEx, GetSystemDirectoryW, CompareStringW, SetThreadContext, GetThreadContext, CreateProcessW, ResumeThread, TerminateProcess, ExitProcess, GetCurrentProcess, Sleep, WaitForSingleObject, DuplicateHandle, RemoveDirectoryW, DeleteFileW, SetCurrentDirectoryW, lstrlenW, lstrcpynA, LocalAlloc, lstrcmpA, SystemTimeToFileTime, ResetEvent, SetEvent, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, GetCurrentDirectoryW, FindResourceExW, GetEnvironmentVariableW, SetFileTime, GetFileTime, OpenProcess, GetProcessTimes, ReadConsoleW, WriteConsoleW, SetStdHandle, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FatalAppExitA, EnumSystemLocalesW, GetUserDefaultLCID, GetTimeFormatW, GetDateFormatW, SetConsoleCtrlHandler, OutputDebugStringW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetFileType, HeapReAlloc, CreateSemaphoreW, GetStartupInfoW, TlsFree, TlsSetValue, IsProcessorFeaturePresent, lstrcatW, GetVersionExW, InterlockedDecrement, InterlockedIncrement, CreateEventW, QueryPerformanceFrequency, GetTempFileNameW, CopyFileW, GetTickCount, GetExitCodeThread, CreateThread, FindResourceW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, SizeofResource, LockResource, LoadResource, lstrcpyW, GetWindowsDirectoryW, SetErrorMode, GetTempPathW, FlushInstructionCache, ExpandEnvironmentStringsW, lstrcpynW, GetModuleFileNameW, GetProcessHeap, HeapFree, HeapAlloc, WriteFile, SetFilePointer, ReadFile, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, CloseHandle, GetFileSize, CreateFileW, SetLastError, GetLastError, LoadLibraryA, GetSystemDirectoryA, GetProcAddress, GetModuleHandleW, TlsGetValue, TlsAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStringTypeW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, GetCurrentThreadId, HeapSize, AreFileApisANSI, GetModuleHandleExW, GetStdHandle, EncodePointer
            USER32.dllCreateWindowExW, SetTimer, KillTimer, LoadCursorW, RegisterClassW, DefWindowProcW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PostQuitMessage, GetSysColorBrush, CharPrevW, SendDlgItemMessageW, wvsprintfW, LoadImageW, CreateDialogParamW, MoveWindow, SetCursor, GetWindow, GetDlgItemTextW, SetFocus, EnableWindow, SetForegroundWindow, SetActiveWindow, SetDlgItemTextW, IsDialogMessageW, FindWindowW, SubtractRect, IntersectRect, SetRect, FillRect, GetSysColor, GetWindowRect, GetDC, GetSystemMetrics, GetDlgCtrlID, CreateDialogIndirectParamW, DestroyWindow, IsWindow, SendMessageW, MessageBoxW, CharNextW, WaitForInputIdle, SetWindowLongW, GetWindowLongW, GetClientRect, EndPaint, BeginPaint, ReleaseDC, ExitWindowsEx, CharUpperW, GetWindowDC, SetWindowPos, SetWindowTextW, GetDlgItem, EndDialog, DialogBoxIndirectParamW, ShowWindow, GetDesktopWindow, MsgWaitForMultipleObjects, PeekMessageW, wsprintfW, LoadIconW
            GDI32.dllUnrealizeObject, CreateHalftonePalette, GetDIBColorTable, SelectPalette, RealizePalette, GetSystemPaletteEntries, CreatePalette, CreateFontW, GetObjectW, SetTextColor, SetBkMode, GetDeviceCaps, CreateSolidBrush, CreateFontIndirectW, SetStretchBltMode, StretchBlt, SelectObject, DeleteDC, CreateDIBitmap, CreateCompatibleDC, BitBlt, DeleteObject, GetStockObject, TranslateCharsetInfo
            ADVAPI32.dllCryptCreateHash, CryptSignHashW, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid, OpenThreadToken, OpenProcessToken, SetEntriesInAclW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CreateWellKnownSid, RegQueryInfoKeyW, RegEnumKeyExW, RegDeleteKeyW, RegSetValueExW, RegEnumValueW, RegCreateKeyExW, RegDeleteValueW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOverridePredefKey, RegCreateKeyW, RegEnumKeyW, RegOpenKeyW, CryptAcquireContextW, CryptReleaseContext, CryptDeriveKey, CryptDestroyKey, CryptSetHashParam, CryptGetHashParam, CryptExportKey, CryptImportKey, CryptDestroyHash, CryptHashData, CryptVerifySignatureW
            SHELL32.dllSHGetMalloc, SHGetFolderPathW, SHBrowseForFolderW, ShellExecuteW, CommandLineToArgvW, SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW
            ole32.dllCoCreateInstance, StringFromGUID2, CoCreateGuid, CreateItemMoniker, GetRunningObjectTable, CLSIDFromProgID, CoTaskMemAlloc, CoTaskMemRealloc, ProgIDFromCLSID, CoTaskMemFree, CoUninitialize, CoInitializeSecurity, CoInitialize
            OLEAUT32.dllRegisterTypeLib, UnRegisterTypeLib, SetErrorInfo, LoadTypeLib, CreateErrorInfo, SysAllocStringLen, SysFreeString, SysReAllocStringLen, SysStringLen, SysAllocString, SysStringByteLen, SysAllocStringByteLen, VarBstrCat, VarBstrFromDate, VariantClear, VariantChangeType, GetErrorInfo, VarUI4FromStr, SystemTimeToVariantTime
            RPCRT4.dllRpcStringFreeW, UuidCreate, UuidToStringW, UuidFromStringW

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:06:19:12
            Start date:01/10/2024
            Path:C:\Users\user\Desktop\SureDI.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\SureDI.exe"
            Imagebase:0x400000
            File size:100'313'696 bytes
            MD5 hash:1A6A5DBFD0A009F1D1738EB4ABD18316
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:1
            Start time:06:19:16
            Start date:01/10/2024
            Path:C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\SureDI.exe /q"C:\Users\user\Desktop\SureDI.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}" /IS_temp
            Imagebase:0x400000
            File size:100'313'696 bytes
            MD5 hash:1A6A5DBFD0A009F1D1738EB4ABD18316
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:06:19:21
            Start date:01/10/2024
            Path:C:\Windows\System32\msiexec.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\Rigaku SureDI.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="SureDI.exe"
            Imagebase:0x7ff6073a0000
            File size:69'632 bytes
            MD5 hash:E5DA170027542E25EDE42FC54C929077
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:06:19:22
            Start date:01/10/2024
            Path:C:\Windows\System32\msiexec.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\msiexec.exe /V
            Imagebase:0x7ff6073a0000
            File size:69'632 bytes
            MD5 hash:E5DA170027542E25EDE42FC54C929077
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:4
            Start time:06:19:22
            Start date:01/10/2024
            Path:C:\Windows\SysWOW64\msiexec.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding CDB15B2CE92E28F3B8622149A9799E65 C
            Imagebase:0xc80000
            File size:59'904 bytes
            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:06:19:36
            Start date:01/10/2024
            Path:C:\Windows\SysWOW64\msiexec.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 72C84AB51E330DD7B93C0FC1C98E56AC
            Imagebase:0xc80000
            File size:59'904 bytes
            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:9
            Start time:06:19:50
            Start date:01/10/2024
            Path:C:\Windows\System32\msiexec.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\System32\MsiExec.exe -Embedding 61343986035DDA98571FD63CB9C8F73D E Global\MSI0000
            Imagebase:0x7ff6073a0000
            File size:69'632 bytes
            MD5 hash:E5DA170027542E25EDE42FC54C929077
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:10
            Start time:06:19:57
            Start date:01/10/2024
            Path:C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.MonitorService.v1.0.exe"
            Imagebase:0x1c2398f0000
            File size:25'088 bytes
            MD5 hash:82F5C155503E5188DAA96564F9261CD0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:false

            General

            Target ID:12
            Start time:06:19:58
            Start date:01/10/2024
            Path:C:\Windows\SysWOW64\msiexec.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 60E1AB94C32A1ADB74E0CFD4F89B3AA8 E Global\MSI0000
            Imagebase:0xc80000
            File size:59'904 bytes
            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:13
            Start time:06:20:02
            Start date:01/10/2024
            Path:C:\Program Files\Rigaku\SureDI\Rigaku.EresSystem.Monitor.v1.0.exe
            Wow64 process (32bit):false
            Commandline:True
            Imagebase:0x216e2910000
            File size:190'976 bytes
            MD5 hash:1A56D8CD4728BBA1C2B8CE8BE0DF4F82
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:false

            General

            Target ID:14
            Start time:06:20:08
            Start date:01/10/2024
            Path:C:\Windows\SysWOW64\explorer.exe
            Wow64 process (32bit):false
            Commandline:explorer.exe
            Imagebase:0xe30000
            File size:4'514'184 bytes
            MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:15
            Start time:06:20:10
            Start date:01/10/2024
            Path:C:\Windows\System32\svchost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Imagebase:0x7ff6eef20000
            File size:55'320 bytes
            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:4.3%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:22.7%
              Total number of Nodes:1420
              Total number of Limit Nodes:124
              execution_graph 67632 457f3f 67633 457f4b __mtinitlocknum 67632->67633 67669 4623e9 GetStartupInfoW 67633->67669 67635 457f50 67671 4627fb GetProcessHeap 67635->67671 67637 457fa8 67638 457fb3 67637->67638 68333 4580d5 68 API calls 3 library calls 67637->68333 67672 459553 67638->67672 67641 457fb9 67642 457fc4 __RTC_Initialize 67641->67642 68334 4580d5 68 API calls 3 library calls 67641->68334 67693 466739 67642->67693 67645 457fd3 67646 457fdf GetCommandLineW 67645->67646 68335 4580d5 68 API calls 3 library calls 67645->68335 67712 466e88 GetEnvironmentStringsW 67646->67712 67649 457fde 67649->67646 67652 457ff9 67653 458004 67652->67653 68336 458dfb 68 API calls 3 library calls 67652->68336 67722 466c7f 67653->67722 67656 45800a 67657 458015 67656->67657 68337 458dfb 68 API calls 3 library calls 67656->68337 67736 458e35 67657->67736 67660 45801d 67661 458028 __wwincmdln 67660->67661 68338 458dfb 68 API calls 3 library calls 67660->68338 67745 44a891 67661->67745 67665 45804b 68339 458e26 68 API calls _doexit 67665->68339 67668 458050 __mtinitlocknum 67670 4623ff 67669->67670 67670->67635 67671->67637 68340 458f38 32 API calls 2 library calls 67672->68340 67674 459558 68341 467f69 InitializeCriticalSectionAndSpinCount 67674->68341 67676 45955d 67677 459561 67676->67677 68343 462309 TlsAlloc 67676->68343 68342 4595c9 71 API calls 2 library calls 67677->68342 67680 459573 67680->67677 67682 45957e 67680->67682 67681 459566 67681->67641 68344 459134 67682->68344 67685 4595c0 68352 4595c9 71 API calls 2 library calls 67685->68352 67688 45959f 67688->67685 67690 4595a5 67688->67690 67689 4595c5 67689->67641 68351 4594a0 68 API calls 4 library calls 67690->68351 67692 4595ad GetCurrentThreadId 67692->67641 67694 466745 __mtinitlocknum 67693->67694 68363 467e1a 67694->68363 67696 46674c 67697 459134 __calloc_crt 68 API calls 67696->67697 67699 46675d 67697->67699 67698 466768 __mtinitlocknum @_EH4_CallFilterFunc@8 67698->67645 67699->67698 67700 4667c8 GetStartupInfoW 67699->67700 67707 466906 67700->67707 67709 4667dd 67700->67709 67701 4669ca 68370 4669de LeaveCriticalSection _doexit 67701->68370 67703 46694f GetStdHandle 67703->67707 67704 459134 __calloc_crt 68 API calls 67704->67709 67705 466961 GetFileType 67705->67707 67706 46682b 67706->67707 67710 46685d GetFileType 67706->67710 67711 46686b InitializeCriticalSectionAndSpinCount 67706->67711 67707->67701 67707->67703 67707->67705 67708 46698e InitializeCriticalSectionAndSpinCount 67707->67708 67708->67707 67709->67704 67709->67706 67709->67707 67710->67706 67710->67711 67711->67706 67713 457fef 67712->67713 67714 466e99 67712->67714 67718 466a46 GetModuleFileNameW 67713->67718 68373 45917e 67714->68373 67716 466ebf _memmove 67717 466ed5 FreeEnvironmentStringsW 67716->67717 67717->67713 67719 466a7a _wparse_cmdline 67718->67719 67720 45917e __malloc_crt 68 API calls 67719->67720 67721 466aba _wparse_cmdline 67719->67721 67720->67721 67721->67652 67723 466c98 ___get_qualified_locale 67722->67723 67727 466c90 67722->67727 67724 459134 __calloc_crt 68 API calls 67723->67724 67732 466cc1 ___get_qualified_locale 67724->67732 67725 466d18 68411 457631 68 API calls 2 library calls 67725->68411 67727->67656 67728 459134 __calloc_crt 68 API calls 67728->67732 67729 466d3d 68412 457631 68 API calls 2 library calls 67729->68412 67732->67725 67732->67727 67732->67728 67732->67729 67733 466d54 67732->67733 68410 456a17 68 API calls __vswprintf_helper 67732->68410 68413 45adea 8 API calls 2 library calls 67733->68413 67735 466d60 67735->67656 67737 458e41 __IsNonwritableInCurrentImage 67736->67737 68414 461e9d 67737->68414 67739 458e5f __initterm_e 67741 458e9c __IsNonwritableInCurrentImage 67739->67741 68417 453957 67739->68417 67741->67660 67742 458e80 67742->67741 68420 487b29 67742->68420 68425 4b42fc 67742->68425 68522 4546e2 67745->68522 67747 44a8a0 CoInitialize 68523 48715c GetVersionExW 67747->68523 67750 44a8cd 68543 448bb8 67750->68543 67753 44a8df 68589 403e30 67753->68589 67755 44a90c 68592 4160cc 67755->68592 67757 44a927 68596 416071 SysStringLen 67757->68596 67763 44a971 68620 411456 67763->68620 67765 44a98e 68624 449748 67765->68624 67767 44a9a1 _memset 67768 44a9bc GetCommandLineW CommandLineToArgvW 67767->67768 68756 418f22 67768->68756 67770 44a9f3 68762 403b80 67770->68762 67772 44aa1f 68765 403d20 SysStringLen 67772->68765 67778 44aae4 67779 402ca0 __vwprintf_l 73 API calls 67778->67779 67781 44ab1f 67779->67781 67780 44aa7a 67780->67778 67783 44aaa4 67780->67783 67784 44aae6 67780->67784 68784 419426 67781->68784 69130 44a679 81 API calls 2 library calls 67783->69130 69133 402aa0 189 API calls 67784->69133 67789 44ab66 67792 419d16 93 API calls 67789->67792 67790 44aaeb 69134 402b50 71 API calls __vwprintf_l 67790->69134 67791 44aaaf 67794 401ac0 __vwprintf_l 4 API calls 67791->67794 67795 44ab7c 67792->67795 67797 44aabe 67794->67797 67798 419d16 93 API calls 67795->67798 67796 44aafb 67799 401ac0 __vwprintf_l 4 API calls 67796->67799 69131 403f40 73 API calls __vwprintf_l 67797->69131 67801 44ab97 67798->67801 67799->67778 67804 44acf5 67801->67804 67805 44ab9f 67801->67805 67802 44aad7 69132 4029b0 75 API calls 67802->69132 67807 44ad13 67804->67807 67811 419d16 93 API calls 67804->67811 67809 44ac21 67805->67809 67810 402ca0 __vwprintf_l 73 API calls 67805->67810 67808 403b80 __vwprintf_l 2 API calls 67807->67808 67815 44aea0 67807->67815 67812 44ad43 67808->67812 69141 4245c6 108 API calls 3 library calls 67809->69141 67814 44abca 67810->67814 67811->67807 67821 403d20 70 API calls 67812->67821 67817 402ca0 __vwprintf_l 73 API calls 67814->67817 67819 44b13b 67815->67819 67827 44aee3 wsprintfW 67815->67827 67844 44af84 67815->67844 67816 44ac2d 69142 423a44 409 API calls 2 library calls 67816->69142 67820 44abe7 67817->67820 67826 403e30 2 API calls 67819->67826 69135 402940 67820->69135 67824 44ad68 67821->67824 67822 44ac3e 67825 401b80 Mailbox 4 API calls 67822->67825 67829 419d16 93 API calls 67824->67829 67830 44ac4d 67825->67830 67831 44b1a4 67826->67831 69156 451215 309 API calls 3 library calls 67827->69156 67833 44ad7d 67829->67833 69143 424cac 409 API calls 67830->69143 68805 448b06 67831->68805 67832 401ac0 __vwprintf_l 4 API calls 67838 44ac12 67832->67838 67840 44ad9e 67833->67840 69153 404ee0 71 API calls __vwprintf_l 67833->69153 67836 44b0d4 _memset 67845 44b0f2 wsprintfW 67836->67845 67839 401ac0 __vwprintf_l 4 API calls 67838->67839 67839->67809 67849 44ae91 67840->67849 67850 44adac 67840->67850 67841 44ac58 67847 44ac94 67841->67847 67848 44ac5c 67841->67848 67842 44b1b5 67861 419d16 93 API calls 67842->67861 67844->67819 67844->67836 67866 44afcf _memset 67844->67866 67854 4510e1 307 API calls 67845->67854 67852 402ca0 __vwprintf_l 73 API calls 67847->67852 69144 423e3a 4 API calls 3 library calls 67848->69144 67853 401ac0 __vwprintf_l 4 API calls 67849->67853 67856 44adbe 67850->67856 67862 44ae2e 67850->67862 67851 44af32 69157 4121e5 8 API calls 67851->69157 67858 44acae 67852->67858 67853->67815 67859 44b118 67854->67859 67857 402ca0 __vwprintf_l 73 API calls 67856->67857 67863 44add7 67857->67863 69151 4253ce 222 API calls 2 library calls 67858->69151 67868 401ac0 __vwprintf_l 4 API calls 67859->67868 67860 44ac71 67869 401ac0 __vwprintf_l 4 API calls 67860->67869 67870 44b1e5 67861->67870 69154 403f40 73 API calls __vwprintf_l 67862->69154 67871 402ca0 __vwprintf_l 73 API calls 67863->67871 67874 44aff8 lstrcpyW lstrlenW 67866->67874 67876 44b127 67868->67876 67877 44ac80 67869->67877 67878 44b21a 67870->67878 69160 44a7c9 18 API calls 3 library calls 67870->69160 67880 44adf4 67871->67880 67872 44af52 Mailbox 67897 401ac0 __vwprintf_l 4 API calls 67872->67897 67873 44acc1 69152 423e3a 4 API calls 3 library calls 67873->69152 67883 44b02b 67874->67883 67875 44ae4d 69155 4490c7 485 API calls 4 library calls 67875->69155 67885 419085 2 API calls 67876->67885 69145 419085 67877->69145 67881 44b366 67878->67881 67890 4160cc 72 API calls 67878->67890 67888 402940 302 API calls 67880->67888 68869 41d689 67881->68869 67892 44b056 _memset 67883->67892 67901 44b0cf 67883->67901 67894 44b0ca 67885->67894 67887 44b1f4 69161 406360 67887->69161 67896 44ae10 67888->67896 67899 44b23f 67890->67899 67891 44acd2 67900 401ac0 __vwprintf_l 4 API calls 67891->67900 67909 44b07f lstrcpyW 67892->67909 67893 44ae5a 67902 401ac0 __vwprintf_l 4 API calls 67893->67902 67912 401b80 Mailbox 4 API calls 67894->67912 67903 401ac0 __vwprintf_l 4 API calls 67896->67903 67904 44af70 67897->67904 67907 416071 71 API calls 67899->67907 67908 44ace1 67900->67908 69159 45677b 6 API calls ___report_securityfailure 67901->69159 67910 44ae6e 67902->67910 67913 44ae1f 67903->67913 67914 419085 2 API calls 67904->67914 67916 44b24e GetTempPathW 67907->67916 67917 419085 2 API calls 67908->67917 69158 450259 83 API calls 2 library calls 67909->69158 67911 401ac0 __vwprintf_l 4 API calls 67910->67911 67920 44ae7d 67911->67920 67921 44c646 67912->67921 67922 401ac0 __vwprintf_l 4 API calls 67913->67922 67923 44ac8f 67914->67923 67915 44b387 lstrcpyW 67924 411456 73 API calls 67915->67924 67925 411bd3 97 API calls 67916->67925 67917->67923 67919 44b0a7 67926 401ac0 __vwprintf_l 4 API calls 67919->67926 67927 419085 2 API calls 67920->67927 69080 448e93 67921->69080 67922->67862 67923->67894 67929 44b3c0 67924->67929 67930 44b266 67925->67930 67931 44b0bb 67926->67931 67927->67923 68888 449cce 67929->68888 68811 492bb7 67930->68811 67935 419085 2 API calls 67931->67935 67932 44c655 CoUninitialize 69126 454691 67932->69126 67935->67894 67937 44b3d3 67940 403e30 2 API calls 67937->67940 67938 44b26b 67941 44b285 67938->67941 67942 44b26f 67938->67942 67944 44b3fb 67940->67944 67943 4115ed 73 API calls 67941->67943 68817 486444 67942->68817 67946 44b2a4 67943->67946 67949 416071 71 API calls 67944->67949 67948 4115ed 73 API calls 67946->67948 67947 44b27b 67951 411c81 Mailbox 71 API calls 67947->67951 67950 44b2c5 67948->67950 67952 44b420 67949->67952 69168 486a0b 181 API calls 3 library calls 67950->69168 67954 44b2fa 67951->67954 67955 419d16 93 API calls 67952->67955 67957 44b321 67954->67957 67959 401b80 Mailbox 4 API calls 67954->67959 67958 44b435 67955->67958 67956 44b2db 67956->67947 67960 44b345 67957->67960 67963 401b80 Mailbox 4 API calls 67957->67963 67962 44b456 67958->67962 69170 403e90 67958->69170 67959->67957 69169 4168e8 78 API calls 3 library calls 67960->69169 67966 44b47d 67962->67966 67968 419d16 93 API calls 67962->67968 67963->67960 67964 44b357 67967 401b80 Mailbox 4 API calls 67964->67967 67969 44b487 lstrlenW 67966->67969 67970 44b492 67966->67970 67967->67881 67968->67966 67969->67970 67971 4115ed 73 API calls 67970->67971 67972 44c24a 67970->67972 67973 44b4d3 67971->67973 69199 450f18 111 API calls 3 library calls 67972->69199 68894 4167e4 67973->68894 67976 44c24f 67980 44c267 67976->67980 67981 44c2a2 67976->67981 67978 401b80 Mailbox 4 API calls 67979 44b4f6 67978->67979 67982 4167e4 97 API calls 67979->67982 69200 404e20 73 API calls __vwprintf_l 67980->69200 67984 402ca0 __vwprintf_l 73 API calls 67981->67984 67986 44b50a 67982->67986 67985 44c28f 67984->67985 69201 403f40 73 API calls __vwprintf_l 67985->69201 67987 4115ed 73 API calls 67986->67987 67989 44b524 67987->67989 68918 416398 67989->68918 67990 44c2e5 69202 428ffa 615 API calls 3 library calls 67990->69202 67994 44c30e 67997 44c334 67994->67997 68000 401ac0 __vwprintf_l 4 API calls 67994->68000 67995 401b80 Mailbox 4 API calls 67996 44b54b 67995->67996 67998 44b558 67996->67998 67999 44b60b 67996->67999 68001 44c358 67997->68001 68003 401ac0 __vwprintf_l 4 API calls 67997->68003 68002 403e30 2 API calls 67998->68002 68963 4202d0 67999->68963 68000->67997 68004 44c4a3 68001->68004 68007 403b80 __vwprintf_l 2 API calls 68001->68007 68006 44b580 68002->68006 68003->68001 68005 419426 304 API calls 68004->68005 68008 44c4ce Mailbox 68005->68008 68009 4160cc 72 API calls 68006->68009 68011 44c389 68007->68011 68017 401b80 Mailbox 4 API calls 68008->68017 68012 44b59c 68009->68012 68016 403d20 70 API calls 68011->68016 68014 416071 71 API calls 68012->68014 68018 44b5ab GetModuleFileNameW 68014->68018 68015 4202d0 80 API calls 68019 44b650 CopyFileW 68015->68019 68020 44c3ae 68016->68020 68021 44c4f5 68017->68021 68022 411bd3 97 API calls 68018->68022 68023 4160cc 72 API calls 68019->68023 68024 419d16 93 API calls 68020->68024 69207 41e05f 6 API calls 2 library calls 68021->69207 68026 44b5c5 68022->68026 68027 44b69f 68023->68027 68028 44c3c1 68024->68028 68030 416398 97 API calls 68026->68030 68031 416071 71 API calls 68027->68031 68032 44c3de 68028->68032 69203 404ee0 71 API calls __vwprintf_l 68028->69203 68029 44c504 68033 401b80 Mailbox 4 API calls 68029->68033 68034 44b5db 68030->68034 68035 44b6ae 68031->68035 68037 44c3e6 68032->68037 68038 44c489 68032->68038 68039 44c513 68033->68039 68040 411c81 Mailbox 71 API calls 68034->68040 68977 413cee 68035->68977 69204 4121e5 8 API calls 68037->69204 69206 428fee 926 API calls 68038->69206 68042 401ac0 __vwprintf_l 4 API calls 68039->68042 68043 44b5eb 68040->68043 68046 44c522 68042->68046 68047 401b80 Mailbox 4 API calls 68043->68047 68052 419085 2 API calls 68046->68052 68053 44b5fa 68047->68053 68049 44c494 68050 401ac0 __vwprintf_l 4 API calls 68049->68050 68050->68004 68052->67923 68055 401b80 Mailbox 4 API calls 68053->68055 68055->67999 68057 44c406 Mailbox 68061 401ac0 __vwprintf_l 4 API calls 68057->68061 68062 44c424 Mailbox 68061->68062 68066 401b80 Mailbox 4 API calls 68062->68066 68068 44c442 68066->68068 69205 41e05f 6 API calls 2 library calls 68068->69205 68072 44c451 68074 401b80 Mailbox 4 API calls 68072->68074 68076 44c460 68074->68076 68078 401ac0 __vwprintf_l 4 API calls 68076->68078 68080 44c46f 68078->68080 68082 419085 2 API calls 68080->68082 68082->67894 68330 4590ef 70470 458fc0 68330->70470 68332 4590fe 68332->67665 68333->67638 68334->67642 68335->67649 68339->67668 68340->67674 68341->67676 68342->67681 68343->67680 68346 45913b 68344->68346 68347 459178 68346->68347 68348 459159 Sleep 68346->68348 68353 4681a5 68346->68353 68347->67685 68350 462365 TlsSetValue 68347->68350 68349 459170 68348->68349 68349->68346 68349->68347 68350->67688 68351->67692 68352->67689 68354 4681b0 68353->68354 68360 4681cb 68353->68360 68355 4681bc 68354->68355 68354->68360 68361 456505 68 API calls __getptd_noexit 68355->68361 68357 4681db HeapAlloc 68358 4681c1 68357->68358 68357->68360 68358->68346 68360->68357 68360->68358 68362 45e0d6 DecodePointer 68360->68362 68361->68358 68362->68360 68364 467e3e EnterCriticalSection 68363->68364 68365 467e2b 68363->68365 68364->67696 68371 467ec2 68 API calls 7 library calls 68365->68371 68367 467e31 68367->68364 68372 458dfb 68 API calls 3 library calls 68367->68372 68370->67698 68371->68367 68376 45918c 68373->68376 68375 4591c0 68375->67716 68376->68375 68377 45919f Sleep 68376->68377 68379 4576a6 68376->68379 68378 4591b8 68377->68378 68378->68375 68378->68376 68380 457721 68379->68380 68384 4576b2 68379->68384 68404 45e0d6 DecodePointer 68380->68404 68382 457727 68405 456505 68 API calls __getptd_noexit 68382->68405 68387 4576bd 68384->68387 68388 4576e5 RtlAllocateHeap 68384->68388 68390 45770d 68384->68390 68394 45770b 68384->68394 68401 45e0d6 DecodePointer 68384->68401 68386 457719 68386->68376 68387->68384 68396 458775 68 API calls 2 library calls 68387->68396 68397 4587d2 68 API calls 8 library calls 68387->68397 68398 458cd5 68387->68398 68388->68384 68388->68386 68402 456505 68 API calls __getptd_noexit 68390->68402 68403 456505 68 API calls __getptd_noexit 68394->68403 68396->68387 68397->68387 68406 458ca3 GetModuleHandleExW 68398->68406 68401->68384 68402->68394 68403->68386 68404->68382 68405->68386 68407 458cd3 ExitProcess 68406->68407 68408 458cbc GetProcAddress 68406->68408 68408->68407 68409 458cce 68408->68409 68409->68407 68410->67732 68411->67727 68412->67727 68413->67735 68415 461ea0 EncodePointer 68414->68415 68415->68415 68416 461eba 68415->68416 68416->67739 68430 453861 68417->68430 68419 453962 68419->67742 68464 487b42 68420->68464 68423 487b37 68423->67742 68473 402ca0 68425->68473 68427 4b4315 68428 453957 __cinit 78 API calls 68427->68428 68429 4b431f 68428->68429 68429->67742 68431 45386d __mtinitlocknum 68430->68431 68438 458fae 68431->68438 68437 453890 __mtinitlocknum 68437->68419 68439 467e1a __lock 68 API calls 68438->68439 68440 453872 68439->68440 68441 4538a1 DecodePointer DecodePointer 68440->68441 68442 45387e 68441->68442 68443 4538ce 68441->68443 68454 45389b 68442->68454 68443->68442 68457 459103 69 API calls __vswprintf_helper 68443->68457 68445 4538e0 68446 453931 EncodePointer EncodePointer 68445->68446 68447 4538fe 68445->68447 68448 45390b 68445->68448 68446->68442 68458 4591c7 72 API calls __recalloc 68447->68458 68448->68442 68449 453905 68448->68449 68449->68448 68453 45391f EncodePointer 68449->68453 68459 4591c7 72 API calls __recalloc 68449->68459 68452 453919 68452->68442 68452->68453 68453->68446 68460 458fb7 68454->68460 68457->68445 68458->68449 68459->68452 68463 467f9e LeaveCriticalSection 68460->68463 68462 4538a0 68462->68437 68463->68462 68470 48c06d GetModuleHandleW GetProcAddress 68464->68470 68466 487b2e 68466->68423 68467 487b5e 68466->68467 68468 48c06d 4 API calls 68467->68468 68469 487b6d 68468->68469 68469->68423 68471 48c08e GetSystemInfo 68470->68471 68472 48c096 GetNativeSystemInfo 68470->68472 68471->68466 68472->68466 68474 402cd1 68473->68474 68475 402cde GetLastError 68473->68475 68474->68475 68476 402d23 68475->68476 68479 406810 68476->68479 68478 402d49 SetLastError 68478->68427 68480 406866 68479->68480 68485 40681e 68479->68485 68481 406876 68480->68481 68482 4068ff 68480->68482 68489 406888 _memmove 68481->68489 68494 407350 68481->68494 68517 452cdb 69 API calls 2 library calls 68482->68517 68485->68480 68490 406845 68485->68490 68489->68478 68500 405fb0 68490->68500 68493 406860 68493->68478 68496 407368 SysAllocStringLen 68494->68496 68497 4073ab _memmove 68496->68497 68498 4073d7 68497->68498 68499 4073cf SysFreeString 68497->68499 68498->68489 68499->68498 68501 405fc9 68500->68501 68502 4060ac 68500->68502 68504 405fd6 68501->68504 68505 406009 68501->68505 68519 452d09 69 API calls 3 library calls 68502->68519 68506 4060b6 68504->68506 68510 405fe2 68504->68510 68507 4060c0 68505->68507 68508 406015 68505->68508 68520 452d09 69 API calls 3 library calls 68506->68520 68521 452cdb 69 API calls 2 library calls 68507->68521 68513 407350 __vwprintf_l 2 API calls 68508->68513 68516 406027 _memmove 68508->68516 68518 406950 69 API calls 2 library calls 68510->68518 68513->68516 68515 406000 68515->68493 68516->68493 68518->68515 68519->68506 68520->68507 68522->67747 69210 453643 68523->69210 68525 44a8c3 68525->67750 68526 449455 68525->68526 68527 449464 _memset __EH_prolog3_GS 68526->68527 68528 449518 InitializeSecurityDescriptor 68527->68528 68529 449535 CreateWellKnownSid 68528->68529 68537 44952e 68528->68537 68530 44955b CreateWellKnownSid 68529->68530 68529->68537 68532 449578 CreateWellKnownSid 68530->68532 68530->68537 68531 454691 __vwprintf_l 6 API calls 68533 449747 68531->68533 68534 449595 CreateWellKnownSid 68532->68534 68532->68537 68533->67750 68535 4495b6 CreateWellKnownSid 68534->68535 68534->68537 68536 4495d7 SetEntriesInAclW 68535->68536 68535->68537 68536->68537 68538 4496bb 68536->68538 68537->68531 68538->68537 68539 4496c3 SetSecurityDescriptorOwner 68538->68539 68539->68537 68540 4496dc SetSecurityDescriptorGroup 68539->68540 68540->68537 68541 4496f5 SetSecurityDescriptorDacl 68540->68541 68541->68537 68542 44970f CoInitializeSecurity 68541->68542 68542->68537 68544 448bc4 __EH_prolog3 68543->68544 69218 448b8d 68544->69218 68546 448c24 68547 448b8d 69 API calls 68546->68547 68548 448c30 68547->68548 68549 448b8d 69 API calls 68548->68549 68550 448c3c 68549->68550 69222 455577 68550->69222 68554 448c6f 68555 403870 2 API calls 68554->68555 68556 448c83 68555->68556 68557 403870 2 API calls 68556->68557 68558 448c97 68557->68558 68559 403870 2 API calls 68558->68559 68560 448cab 68559->68560 68561 403870 2 API calls 68560->68561 68562 448cbf 68561->68562 68563 403870 2 API calls 68562->68563 68564 448cd3 68563->68564 68565 403870 2 API calls 68564->68565 68566 448ce7 68565->68566 68567 403870 2 API calls 68566->68567 68568 448cfb 68567->68568 68569 403870 2 API calls 68568->68569 68570 448d0f 68569->68570 68571 403870 2 API calls 68570->68571 68572 448d23 68571->68572 68573 403870 2 API calls 68572->68573 68574 448d37 68573->68574 68575 403870 2 API calls 68574->68575 68576 448d4b 68575->68576 68577 403870 2 API calls 68576->68577 68578 448d5f 68577->68578 68579 403870 2 API calls 68578->68579 68580 448d73 68579->68580 68581 403870 2 API calls 68580->68581 68582 448d87 68581->68582 68583 403870 2 API calls 68582->68583 68584 448d9b 68583->68584 68585 403870 2 API calls 68584->68585 68586 448daf 68585->68586 69233 49b7e0 68586->69233 68588 448db9 ~_Task_impl 68588->67753 68590 403e4a GetLastError SetLastError 68589->68590 68591 403e3d 68589->68591 68590->67755 68591->68590 68593 4160d8 __EH_prolog3 68592->68593 69247 4118ec 68593->69247 68595 4160e8 ~_Task_impl 68595->67757 68597 416088 SysReAllocStringLen 68596->68597 68599 4160a0 68596->68599 68600 4160b7 GetModuleFileNameW 68597->68600 68599->68600 69252 4142a0 69 API calls __vwprintf_l 68599->69252 68602 411bd3 68600->68602 69253 4546e2 68602->69253 68604 411bdf GetLastError 68605 411c04 68604->68605 68606 411bef 68604->68606 68607 411c36 SetLastError 68605->68607 68609 4114d7 95 API calls 68605->68609 68608 403e90 71 API calls 68606->68608 68610 454691 __vwprintf_l 6 API calls 68607->68610 68608->68605 68611 411c1b 68609->68611 68612 411c42 68610->68612 68613 411c81 Mailbox 71 API calls 68611->68613 68616 4115ed 68612->68616 68614 411c2a 68613->68614 68615 401b80 Mailbox 4 API calls 68614->68615 68615->68607 68617 4115f9 __EH_prolog3 68616->68617 69254 411357 68617->69254 68619 411629 ~_Task_impl 68619->67763 68621 411462 __EH_prolog3 68620->68621 69263 411254 68621->69263 68623 411484 ~_Task_impl 68623->67765 68625 449757 __EH_prolog3_GS 68624->68625 68626 411c81 Mailbox 71 API calls 68625->68626 68627 44976f 68626->68627 68628 416398 97 API calls 68627->68628 68629 44977f 68628->68629 68630 411c81 Mailbox 71 API calls 68629->68630 68631 449791 68630->68631 68632 401b80 Mailbox 4 API calls 68631->68632 68633 44979d 68632->68633 68634 418f22 74 API calls 68633->68634 68635 4497b4 68634->68635 68636 403e30 2 API calls 68635->68636 68637 4497d8 68636->68637 68638 416071 71 API calls 68637->68638 68639 4497fa 68638->68639 68640 419d16 93 API calls 68639->68640 68641 44980e 68640->68641 68642 44982f 68641->68642 68643 403e90 71 API calls 68641->68643 68646 449841 68642->68646 69305 44a186 69 API calls 68642->69305 68643->68642 69300 415adc 68646->69300 68647 449856 68648 416071 71 API calls 68647->68648 68649 449874 68648->68649 68650 419d16 93 API calls 68649->68650 68651 449888 68650->68651 68652 4498a9 68651->68652 68653 403e90 71 API calls 68651->68653 68654 4498ec 68652->68654 68655 416071 71 API calls 68652->68655 68653->68652 68656 415adc 70 API calls 68654->68656 68657 4498bb 68655->68657 68658 4498fd 68656->68658 68659 403e90 71 API calls 68657->68659 68661 416071 71 API calls 68658->68661 68660 4498d5 68659->68660 68662 41d689 78 API calls 68660->68662 68663 44991b 68661->68663 68664 4498e0 68662->68664 68665 419d16 93 API calls 68663->68665 68666 401b80 Mailbox 4 API calls 68664->68666 68667 44992f 68665->68667 68666->68654 68668 449950 68667->68668 68669 403e90 71 API calls 68667->68669 68670 449992 68668->68670 68672 416071 71 API calls 68668->68672 68669->68668 68671 419d16 93 API calls 68670->68671 68673 4499ad 68671->68673 68674 449962 68672->68674 68676 419d16 93 API calls 68673->68676 68675 403e90 71 API calls 68674->68675 68677 44997b 68675->68677 68678 4499ca 68676->68678 68679 41d689 78 API calls 68677->68679 68680 419d16 93 API calls 68678->68680 68681 449986 68679->68681 68683 4499e0 68680->68683 68682 401b80 Mailbox 4 API calls 68681->68682 68682->68670 68684 419d16 93 API calls 68683->68684 68685 4499fe 68684->68685 68686 419d16 93 API calls 68685->68686 68687 449a1c 68686->68687 68688 415adc 70 API calls 68687->68688 68689 449a31 68688->68689 68690 416071 71 API calls 68689->68690 68691 449a4f 68690->68691 68692 419d16 93 API calls 68691->68692 68693 449a63 68692->68693 68694 449a84 68693->68694 68696 403e90 71 API calls 68693->68696 68695 449ae7 68694->68695 68697 411254 Mailbox 73 API calls 68694->68697 68698 415adc 70 API calls 68695->68698 68696->68694 68699 449aa9 68697->68699 68700 449af2 68698->68700 68701 449adb 68699->68701 68702 411c81 Mailbox 71 API calls 68699->68702 68704 416071 71 API calls 68700->68704 68703 401b80 Mailbox 4 API calls 68701->68703 68705 449abe 68702->68705 68703->68695 68706 449b10 68704->68706 68707 41d689 78 API calls 68705->68707 68708 419d16 93 API calls 68706->68708 68709 449acc 68707->68709 68710 449b24 68708->68710 68711 401b80 Mailbox 4 API calls 68709->68711 68712 449b45 68710->68712 68713 403e90 71 API calls 68710->68713 68711->68701 68714 449bac 68712->68714 68716 411254 Mailbox 73 API calls 68712->68716 68713->68712 68715 415adc 70 API calls 68714->68715 68717 449bb7 68715->68717 68718 449b6a 68716->68718 68722 416071 71 API calls 68717->68722 68719 449b9c 68718->68719 68721 411c81 Mailbox 71 API calls 68718->68721 68720 401b80 Mailbox 4 API calls 68719->68720 68720->68714 68723 449b7f 68721->68723 68724 449bd5 68722->68724 68725 41d689 78 API calls 68723->68725 68727 419d16 93 API calls 68724->68727 68726 449b8d 68725->68726 68728 401b80 Mailbox 4 API calls 68726->68728 68729 449be9 68727->68729 68728->68719 68730 449c0a 68729->68730 68732 403e90 71 API calls 68729->68732 68731 449c47 68730->68731 68733 41d689 78 API calls 68730->68733 68734 449c54 68731->68734 69306 44a466 89 API calls 68731->69306 68732->68730 68735 449c23 68733->68735 68741 449c83 68734->68741 69307 44a491 89 API calls 3 library calls 68734->69307 68738 401b80 Mailbox 4 API calls 68735->68738 68740 449c32 68738->68740 68739 449c62 68739->68741 69308 44a1fa 92 API calls 4 library calls 68739->69308 68740->68731 68746 411c81 Mailbox 71 API calls 68740->68746 68743 401b80 Mailbox 4 API calls 68741->68743 68745 449c8f 68743->68745 68744 449c74 68747 401b80 Mailbox 4 API calls 68744->68747 68748 419085 2 API calls 68745->68748 68746->68731 68747->68741 68749 449c9e 68748->68749 68750 401b80 Mailbox 4 API calls 68749->68750 68751 449caa 68750->68751 68752 401b80 Mailbox 4 API calls 68751->68752 68753 449cb6 68752->68753 68754 454691 __vwprintf_l 6 API calls 68753->68754 68755 449cbb 68754->68755 68755->67767 68757 418f2e __EH_prolog3 68756->68757 69309 418f5e 68757->69309 68761 418f50 ~_Task_impl 68761->67770 68763 403b9a GetLastError SetLastError 68762->68763 68764 403b8d 68762->68764 68763->67772 68764->68763 68766 403d38 SysReAllocStringLen 68765->68766 68769 403d50 68765->68769 68768 403d7a 68766->68768 68771 419d16 68768->68771 68769->68768 69321 4558c7 68 API calls 3 library calls 68769->69321 68773 419d25 __EH_prolog3_GS ___get_qualified_locale 68771->68773 68772 419e68 68774 454691 __vwprintf_l 6 API calls 68772->68774 68773->68772 68776 411637 73 API calls 68773->68776 68777 401b80 GetLastError SysFreeString SysFreeString SetLastError Mailbox 68773->68777 68778 418f5e 2 API calls 68773->68778 68780 419e72 SysFreeString 68773->68780 68781 419e45 SysStringLen 68773->68781 69322 41006b 81 API calls 68773->69322 68775 419e6f 68774->68775 68775->67780 69129 404ee0 71 API calls __vwprintf_l 68775->69129 68776->68773 68777->68773 68778->68773 68780->68772 68781->68780 68783 419e50 SysFreeString 68781->68783 68783->68773 68785 419432 __EH_prolog3_GS 68784->68785 68786 4194cb 68785->68786 68787 403b80 __vwprintf_l 2 API calls 68785->68787 68788 454691 __vwprintf_l 6 API calls 68786->68788 68789 419467 68787->68789 68790 4194d0 68788->68790 69323 403750 68789->69323 68800 401ac0 GetLastError 68790->68800 68793 4194bf 68796 401ac0 __vwprintf_l 4 API calls 68793->68796 68794 402ca0 __vwprintf_l 73 API calls 68795 41949f 68794->68795 68797 402940 302 API calls 68795->68797 68796->68786 68798 4194b3 68797->68798 68799 401ac0 __vwprintf_l 4 API calls 68798->68799 68799->68793 68801 45461d 68800->68801 68802 401adf SysFreeString 68801->68802 68803 401af3 SysFreeString 68802->68803 68804 401af8 SetLastError 68802->68804 68803->68804 68804->67789 68806 448b12 __EH_prolog3 68805->68806 68807 448b2b GetLastError 68806->68807 69461 41df0a 68807->69461 68809 448b50 SetLastError 68810 448b79 ~_Task_impl 68809->68810 68810->67842 69463 492d83 GetVersion 68811->69463 68813 492bbc 68814 492bc0 68813->68814 69464 492c18 GetCurrentThread OpenThreadToken 68813->69464 68814->67938 69490 4546e2 68817->69490 68819 486453 AllocateAndInitializeSid 68820 4864ca AllocateAndInitializeSid 68819->68820 68821 4864b0 68819->68821 68820->68821 68823 4864ea AllocateAndInitializeSid 68820->68823 68822 4115ed 73 API calls 68821->68822 68835 4864c5 68822->68835 68823->68821 68824 48650a _memset 68823->68824 68825 486519 SetEntriesInAclW 68824->68825 68825->68821 68826 4865bb 68825->68826 68827 4865ee InitializeSecurityDescriptor 68826->68827 68828 4865d5 68826->68828 68830 4865f9 68827->68830 68831 486613 SetSecurityDescriptorDacl 68827->68831 68829 4115ed 73 API calls 68828->68829 68829->68835 68833 4115ed 73 API calls 68830->68833 68831->68830 68832 48662d 68831->68832 68834 403e30 2 API calls 68832->68834 68833->68835 68837 48665b 68834->68837 68836 454691 __vwprintf_l 6 API calls 68835->68836 68838 486794 68836->68838 68839 4160cc 72 API calls 68837->68839 68838->67947 68840 486674 68839->68840 68841 416071 71 API calls 68840->68841 68842 486683 GetTempPathW 68841->68842 68843 411bd3 97 API calls 68842->68843 68844 48669b 68843->68844 69491 48631a UuidCreate 68844->69491 68851 4194f3 72 API calls 68852 4866e0 68851->68852 68853 401b80 Mailbox 4 API calls 68852->68853 68854 4866e8 68853->68854 68855 401b80 Mailbox 4 API calls 68854->68855 68856 4866f3 68855->68856 68857 401b80 Mailbox 4 API calls 68856->68857 68858 486702 68857->68858 68859 411254 Mailbox 73 API calls 68858->68859 68860 486726 68859->68860 69524 48343a 68860->69524 68862 48672b 68863 486749 68862->68863 68864 486732 68862->68864 69535 41634a 78 API calls 3 library calls 68863->69535 68865 4115ed 73 API calls 68864->68865 68867 486747 68865->68867 68868 401b80 Mailbox 4 API calls 68867->68868 68868->68835 68870 41d695 __EH_prolog3_GS 68869->68870 69574 41d76e 68870->69574 68872 41d6ad 68873 401b80 Mailbox 4 API calls 68872->68873 68874 41d6b8 68873->68874 69580 416956 68874->69580 68876 41d6c5 68877 401b80 Mailbox 4 API calls 68876->68877 68878 41d6d0 68877->68878 68879 411456 73 API calls 68878->68879 68880 41d6da 68879->68880 68881 454691 __vwprintf_l 6 API calls 68880->68881 68882 41d6e8 68881->68882 68883 401b80 GetLastError 68882->68883 68884 45461d 68883->68884 68885 401b9f SysFreeString 68884->68885 68886 401bb3 SysFreeString 68885->68886 68887 401bb8 SetLastError 68885->68887 68886->68887 68887->67915 68889 449cda __EH_prolog3 68888->68889 68890 411c81 Mailbox 71 API calls 68889->68890 68891 449ced 68890->68891 68892 401b80 Mailbox 4 API calls 68891->68892 68893 449cf9 ~_Task_impl 68892->68893 68893->67937 68895 4167f3 __EH_prolog3_GS 68894->68895 68896 411456 73 API calls 68895->68896 68897 416812 68896->68897 68898 41686b 68897->68898 69590 4166ac 97 API calls 3 library calls 68897->69590 68899 416398 97 API calls 68898->68899 68901 41687a 68899->68901 69586 4173d8 68901->69586 68902 416826 68904 4173d8 73 API calls 68902->68904 68906 416844 68904->68906 68905 41688c 68908 401b80 Mailbox 4 API calls 68905->68908 68907 411c81 Mailbox 71 API calls 68906->68907 68909 416851 68907->68909 68910 41689d 68908->68910 68911 401b80 Mailbox 4 API calls 68909->68911 68912 401b80 Mailbox 4 API calls 68910->68912 68913 416860 68911->68913 68914 4168a9 68912->68914 68915 401b80 Mailbox 4 API calls 68913->68915 68916 454691 __vwprintf_l 6 API calls 68914->68916 68915->68898 68917 4168b0 68916->68917 68917->67978 68919 4163a7 __EH_prolog3_GS 68918->68919 68920 411456 73 API calls 68919->68920 68921 4163c9 68920->68921 69605 41724d 68921->69605 68923 4163eb 68924 4163f9 68923->68924 69610 41659d 94 API calls 3 library calls 68923->69610 68926 4115ed 73 API calls 68924->68926 68927 41643b 68926->68927 68928 41645c 68927->68928 68929 401b80 Mailbox 4 API calls 68927->68929 68930 416498 68928->68930 68931 41646b 68928->68931 68929->68928 68932 411c81 Mailbox 71 API calls 68930->68932 68933 4173d8 73 API calls 68931->68933 68936 416496 68932->68936 68934 41647d 68933->68934 68938 411c81 Mailbox 71 API calls 68934->68938 68935 4164cd 68937 41655a 68935->68937 68939 411357 73 API calls 68935->68939 68936->68935 69611 4168e8 78 API calls 3 library calls 68936->69611 68940 411456 73 API calls 68937->68940 68941 41648a 68938->68941 68944 4164ed 68939->68944 68945 41656b 68940->68945 68946 401b80 Mailbox 4 API calls 68941->68946 68943 4164c1 68947 401b80 Mailbox 4 API calls 68943->68947 69612 41659d 94 API calls 3 library calls 68944->69612 68949 401b80 Mailbox 4 API calls 68945->68949 68946->68936 68947->68935 68950 416583 68949->68950 68951 401b80 Mailbox 4 API calls 68950->68951 68952 41658f 68951->68952 68954 454691 __vwprintf_l 6 API calls 68952->68954 68953 416502 69613 415d9f 80 API calls __wcsnicmp 68953->69613 68956 41659a 68954->68956 68956->67995 68957 41652a 68958 41653f 68957->68958 69614 4169d3 72 API calls 68957->69614 68960 401b80 Mailbox 4 API calls 68958->68960 68961 41654e 68960->68961 68962 401b80 Mailbox 4 API calls 68961->68962 68962->68937 68964 4202dc __EH_prolog3_GS 68963->68964 68965 411456 73 API calls 68964->68965 68966 4202f6 68965->68966 68967 411456 73 API calls 68966->68967 68968 42030a 68967->68968 69617 4212e8 68968->69617 68971 411456 73 API calls 68972 420325 68971->68972 68973 401b80 Mailbox 4 API calls 68972->68973 68974 420334 68973->68974 68975 454691 __vwprintf_l 6 API calls 68974->68975 68976 42033b 68975->68976 68976->68015 68978 413cfb __flswbuf 68977->68978 69639 4505de 68978->69639 68982 413d36 69656 413c64 68982->69656 69081 448e9f __EH_prolog3 69080->69081 69082 448eba 69081->69082 70429 49b890 DeleteObject DeleteObject DeleteObject 69081->70429 69084 401b80 Mailbox 4 API calls 69082->69084 69085 448ee0 69084->69085 69086 401b80 Mailbox 4 API calls 69085->69086 69087 448ef6 69086->69087 69088 401b80 Mailbox 4 API calls 69087->69088 69089 448f0c 69088->69089 69090 401b80 Mailbox 4 API calls 69089->69090 69091 448f22 69090->69091 69092 401b80 Mailbox 4 API calls 69091->69092 69093 448f38 69092->69093 69094 401b80 Mailbox 4 API calls 69093->69094 69095 448f4e 69094->69095 69096 401b80 Mailbox 4 API calls 69095->69096 69097 448f64 69096->69097 69098 401b80 Mailbox 4 API calls 69097->69098 69099 448f7a 69098->69099 69100 401b80 Mailbox 4 API calls 69099->69100 69101 448f90 69100->69101 69102 401b80 Mailbox 4 API calls 69101->69102 69103 448fa6 69102->69103 69104 401b80 Mailbox 4 API calls 69103->69104 69105 448fbc 69104->69105 69106 401b80 Mailbox 4 API calls 69105->69106 69107 448fd2 69106->69107 69108 401b80 Mailbox 4 API calls 69107->69108 69109 448fe8 69108->69109 69110 401b80 Mailbox 4 API calls 69109->69110 69111 448ffe 69110->69111 69112 401b80 Mailbox 4 API calls 69111->69112 69113 449014 69112->69113 69114 401b80 Mailbox 4 API calls 69113->69114 69115 44902a 69114->69115 69116 401b80 Mailbox 4 API calls 69115->69116 69117 44903d 69116->69117 70421 448df0 69117->70421 69119 449050 69120 448df0 69 API calls 69119->69120 69121 449063 69120->69121 69122 448df0 69 API calls 69121->69122 69123 449074 69122->69123 70425 417d80 69123->70425 69125 449080 ~_Task_impl 69125->67932 69127 453643 __setmbcp_nolock 6 API calls 69126->69127 69128 44c666 69127->69128 69128->67665 69128->68330 69129->67780 69130->67791 69131->67802 69132->67778 69133->67790 69134->67796 69136 40294c 69135->69136 69139 40295a 69135->69139 69136->69139 70436 401be0 69136->70436 69137 402999 69137->67832 69139->69137 70443 4021c0 300 API calls 2 library calls 69139->70443 69141->67816 69142->67822 69143->67841 69144->67860 69146 419091 __EH_prolog3 69145->69146 69147 4190a8 69146->69147 70454 40f88a SysFreeString 69146->70454 69149 4190b7 SysFreeString 69147->69149 69150 4190c8 ~_Task_impl 69149->69150 69150->67923 69151->67873 69152->67891 69153->67840 69154->67875 69155->67893 69156->67851 69157->67872 69158->67919 69159->67836 69160->67887 69162 40637d 69161->69162 69163 40636f 69161->69163 69166 406f10 71 API calls 69162->69166 69164 406f10 71 API calls 69163->69164 69165 406378 69164->69165 69165->67878 69167 40639c 69166->69167 69167->67878 69168->67956 69169->67964 69171 403ea9 69170->69171 69172 403ebc 69170->69172 69173 406f10 71 API calls 69171->69173 69175 406f10 71 API calls 69172->69175 69174 403eb5 69173->69174 69174->67962 69176 403edc 69175->69176 69176->67962 69199->67976 69200->67985 69201->67990 69202->67994 69203->68032 69204->68057 69205->68072 69206->68049 69207->68029 69211 45364d IsProcessorFeaturePresent 69210->69211 69212 45364b 69210->69212 69214 456696 69211->69214 69212->68525 69217 456645 5 API calls ___raise_securityfailure 69214->69217 69216 456779 69216->68525 69217->69216 69219 448b99 __EH_prolog3 69218->69219 69238 449d04 69219->69238 69221 448baa ~_Task_impl 69221->68546 69224 45557f 69222->69224 69223 4576a6 _malloc 68 API calls 69223->69224 69224->69223 69225 448c4a 69224->69225 69227 45559b std::exception::exception 69224->69227 69245 45e0d6 DecodePointer 69224->69245 69230 403870 69225->69230 69246 454622 RaiseException 69227->69246 69229 4555c5 69231 40388a GetLastError SetLastError 69230->69231 69232 40387d 69230->69232 69231->68554 69232->69231 69234 49b7eb 69233->69234 69235 49b7f0 69233->69235 69234->68588 69236 455577 Mailbox 69 API calls 69235->69236 69237 49b7f7 69236->69237 69237->68588 69239 449d10 __EH_prolog3_catch 69238->69239 69240 455577 Mailbox 69 API calls 69239->69240 69241 449d17 69240->69241 69242 449d24 ~_Task_impl 69241->69242 69244 452c58 69 API calls 4 library calls 69241->69244 69242->69221 69244->69242 69245->69224 69246->69229 69248 411911 69247->69248 69249 411907 69247->69249 69248->68595 69251 41721f 72 API calls 69249->69251 69251->69248 69252->68600 69253->68604 69255 411363 __EH_prolog3 69254->69255 69256 41137b GetLastError 69255->69256 69260 411703 69256->69260 69259 4113d2 ~_Task_impl 69259->68619 69261 406360 71 API calls 69260->69261 69262 4113a6 SetLastError 69261->69262 69262->69259 69264 411260 __EH_prolog3 69263->69264 69265 411278 GetLastError 69264->69265 69266 411292 69265->69266 69270 4116b0 69266->69270 69269 4112ce ~_Task_impl 69269->68623 69273 407470 69270->69273 69272 4112a2 SetLastError 69272->69269 69274 407489 69273->69274 69275 40756c 69273->69275 69277 407496 69274->69277 69278 4074c9 69274->69278 69296 452d09 69 API calls 3 library calls 69275->69296 69281 407576 69277->69281 69282 4074a2 69277->69282 69279 407580 69278->69279 69280 4074d5 69278->69280 69298 452cdb 69 API calls 2 library calls 69279->69298 69289 4074e7 _memmove 69280->69289 69295 407b20 SysAllocStringLen SysFreeString _memmove 69280->69295 69297 452d09 69 API calls 3 library calls 69281->69297 69290 407a50 69282->69290 69288 4074c0 69288->69272 69289->69272 69291 407aed 69290->69291 69292 407a65 _memmove 69290->69292 69299 452d09 69 API calls 3 library calls 69291->69299 69292->69288 69294 407af7 69294->69288 69295->69289 69296->69281 69297->69279 69299->69294 69301 415af5 69300->69301 69302 415ae8 SysFreeString 69300->69302 69303 407a50 Mailbox 69 API calls 69301->69303 69302->69301 69304 415b03 69303->69304 69304->68647 69305->68646 69306->68734 69307->68739 69308->68744 69310 418f74 SysAllocString 69309->69310 69312 418f3b 69309->69312 69311 418f83 69310->69311 69310->69312 69319 4197ac RaiseException __CxxThrowException@8 69311->69319 69315 41a052 69312->69315 69316 41a063 _memset 69315->69316 69317 41a136 69315->69317 69316->69317 69320 41963f 73 API calls 69316->69320 69317->68761 69320->69316 69321->68768 69322->68773 69334 455e2b 69323->69334 69327 403796 69328 403d20 70 API calls 69327->69328 69329 4037a8 69328->69329 69342 455e07 69329->69342 69357 455e45 69334->69357 69336 403784 69337 402fe0 69336->69337 69338 403032 69337->69338 69339 403004 69337->69339 69338->69327 69340 40300e 69339->69340 69366 405ef0 71 API calls __vwprintf_l 69339->69366 69340->69327 69367 455d90 69342->69367 69344 4037b6 69345 403980 GetLastError 69344->69345 69346 403a0b 69345->69346 69347 4039c7 69345->69347 69348 403a4b SetLastError 69346->69348 69389 404000 69346->69389 69352 406810 __vwprintf_l 71 API calls 69347->69352 69349 453643 __setmbcp_nolock 6 API calls 69348->69349 69351 4037c8 69349->69351 69351->68793 69351->68794 69352->69346 69353 403a23 69354 403a42 69353->69354 69355 405fb0 __vwprintf_l 71 API calls 69353->69355 69404 401a60 GetLastError SysFreeString SysFreeString SetLastError 69354->69404 69355->69354 69358 455e76 69357->69358 69359 455e61 69357->69359 69358->69336 69364 456505 68 API calls __getptd_noexit 69359->69364 69361 455e66 69365 45adbf 9 API calls __invalid_parameter_noinfo_noreturn 69361->69365 69363 455e71 69363->69336 69364->69361 69365->69363 69366->69338 69368 455dae 69367->69368 69369 455d99 69367->69369 69371 455df1 69368->69371 69374 455dbc 69368->69374 69383 456505 68 API calls __getptd_noexit 69369->69383 69387 456505 68 API calls __getptd_noexit 69371->69387 69373 455d9e 69384 45adbf 9 API calls __invalid_parameter_noinfo_noreturn 69373->69384 69385 455c48 99 API calls __vswprintf_helper 69374->69385 69377 455dd3 69381 455e01 69377->69381 69386 456505 68 API calls __getptd_noexit 69377->69386 69378 455de9 69388 45adbf 9 API calls __invalid_parameter_noinfo_noreturn 69378->69388 69379 455da9 69379->69344 69381->69344 69383->69373 69384->69379 69385->69377 69386->69378 69387->69378 69388->69381 69390 40404c GetLastError SetLastError 69389->69390 69391 40403f 69389->69391 69392 404092 69390->69392 69394 404098 69390->69394 69391->69390 69417 4551b7 79 API calls __mbstrlen_l 69392->69417 69405 4053d0 69394->69405 69396 4040ae 69397 4040c6 GetLastError 69396->69397 69398 45461d 69397->69398 69399 4040e1 SysFreeString 69398->69399 69400 4040f5 SysFreeString 69399->69400 69401 4040fa SetLastError 69399->69401 69400->69401 69402 453643 __setmbcp_nolock 6 API calls 69401->69402 69403 404138 69402->69403 69403->69353 69404->69348 69406 405412 69405->69406 69407 40541f GetLastError SetLastError 69405->69407 69406->69407 69418 4063b0 GetLastError SetLastError 69407->69418 69409 40547f 69410 40549a GetLastError 69409->69410 69411 45461d 69410->69411 69412 4054b5 SysFreeString 69411->69412 69413 4054c9 SysFreeString 69412->69413 69414 4054ce SetLastError SetLastError 69412->69414 69413->69414 69415 453643 __setmbcp_nolock 6 API calls 69414->69415 69416 405512 69415->69416 69416->69396 69417->69394 69429 407010 69418->69429 69421 405fb0 __vwprintf_l 71 API calls 69422 40649f SetLastError GetLastError 69421->69422 69423 45461d 69422->69423 69424 4064de SysFreeString 69423->69424 69425 4064f4 SysFreeString 69424->69425 69426 4064fa SetLastError 69424->69426 69425->69426 69427 453643 __setmbcp_nolock 6 API calls 69426->69427 69428 40653e 69427->69428 69428->69409 69430 40706b 69429->69430 69431 407100 69429->69431 69430->69431 69432 407077 MultiByteToWideChar 69430->69432 69434 407206 GetLastError 69431->69434 69435 40712d 69431->69435 69457 452db9 69432->69457 69436 406810 __vwprintf_l 71 API calls 69434->69436 69458 45550e 68 API calls __vswprintf_helper 69435->69458 69438 407262 SetLastError 69436->69438 69440 4072a2 69438->69440 69441 4072ac 69438->69441 69444 405fb0 __vwprintf_l 71 API calls 69440->69444 69460 401a60 GetLastError SysFreeString SysFreeString SetLastError 69441->69460 69444->69441 69446 40714c GetLastError 69448 406810 __vwprintf_l 71 API calls 69446->69448 69449 4071a8 SetLastError 69448->69449 69451 4071e5 69449->69451 69452 4071ef 69449->69452 69450 453643 __setmbcp_nolock 6 API calls 69453 406462 GetLastError 69450->69453 69454 405fb0 __vwprintf_l 71 API calls 69451->69454 69459 401a60 GetLastError SysFreeString SysFreeString SetLastError 69452->69459 69453->69421 69454->69452 69456 4070f0 69456->69450 69458->69446 69459->69456 69460->69456 69462 41df1a 69461->69462 69462->68809 69463->68813 69465 492c8e GetTokenInformation 69464->69465 69466 492c53 GetLastError 69464->69466 69467 492cb5 GetLastError 69465->69467 69468 492ca6 69465->69468 69469 492c5c GetCurrentProcess OpenProcessToken GetLastError 69466->69469 69470 492c71 69466->69470 69467->69468 69472 492cbc 69467->69472 69489 492d72 CloseHandle 69468->69489 69469->69470 69470->69465 69473 492c76 69470->69473 69474 455577 Mailbox 69 API calls 69472->69474 69488 492d72 CloseHandle 69473->69488 69476 492cc4 GetTokenInformation 69474->69476 69478 492cda 69476->69478 69479 492cdd AllocateAndInitializeSid 69476->69479 69477 492c80 69480 453643 __setmbcp_nolock 6 API calls 69477->69480 69487 492d72 CloseHandle 69478->69487 69479->69478 69485 492d08 69479->69485 69483 492bcc 69480->69483 69482 492d42 FreeSid 69482->69478 69483->67938 69484 492d14 EqualSid 69484->69485 69486 492d2b 69484->69486 69485->69482 69485->69484 69485->69486 69486->69482 69487->69477 69488->69477 69489->69477 69490->68819 69536 485e48 69491->69536 69494 453643 __setmbcp_nolock 6 API calls 69495 486362 69494->69495 69496 417fb3 69495->69496 69497 417fbf __EH_prolog3_GS 69496->69497 69498 4115ed 73 API calls 69497->69498 69499 417fde 69498->69499 69500 4194f3 72 API calls 69499->69500 69501 417fef 69500->69501 69502 411456 73 API calls 69501->69502 69503 417ffb 69502->69503 69504 401b80 Mailbox 4 API calls 69503->69504 69505 41800a 69504->69505 69506 454691 __vwprintf_l 6 API calls 69505->69506 69507 418011 69506->69507 69508 420177 69507->69508 69509 420183 __EH_prolog3_GS 69508->69509 69510 411456 73 API calls 69509->69510 69511 4201a0 69510->69511 69558 421153 69511->69558 69515 4201b6 69568 420259 69515->69568 69517 4201c6 69518 401b80 Mailbox 4 API calls 69517->69518 69519 4201d4 69518->69519 69520 401b80 Mailbox 4 API calls 69519->69520 69521 4201e0 69520->69521 69522 454691 __vwprintf_l 6 API calls 69521->69522 69523 4201e7 69522->69523 69523->68851 69572 4546af 69524->69572 69526 483446 GetModuleHandleW GetProcAddress 69527 48346b CreateDirectoryW 69526->69527 69528 48347c GetModuleHandleW GetProcAddress 69526->69528 69529 4834a1 69527->69529 69528->69529 69530 483495 69528->69530 69532 401b80 Mailbox 4 API calls 69529->69532 69573 44a186 69 API calls 69530->69573 69534 4834ab ~_Task_impl 69532->69534 69533 48349d 69533->69529 69534->68862 69535->68867 69537 485e54 __EH_prolog3_GS 69536->69537 69538 403e30 2 API calls 69537->69538 69539 485e83 UuidToStringW 69538->69539 69540 406360 71 API calls 69539->69540 69541 485eb2 69540->69541 69550 48b9a8 69541->69550 69543 485eba RpcStringFreeW 69544 411254 Mailbox 73 API calls 69543->69544 69545 485ed6 69544->69545 69546 401b80 Mailbox 4 API calls 69545->69546 69547 485ede 69546->69547 69548 454691 __vwprintf_l 6 API calls 69547->69548 69549 485ee5 69548->69549 69549->69494 69551 48b9b4 __EH_prolog3 69550->69551 69552 4160cc 72 API calls 69551->69552 69553 48b9c0 69552->69553 69554 416071 71 API calls 69553->69554 69555 48b9cf CharUpperW 69554->69555 69556 411bd3 97 API calls 69555->69556 69557 48b9e3 ~_Task_impl 69556->69557 69557->69543 69559 421164 ___get_qualified_locale 69558->69559 69560 42117a 72 API calls 69559->69560 69561 4201ac 69560->69561 69562 4201e8 69561->69562 69563 4201f4 __EH_prolog3 69562->69563 69564 42020c GetLastError 69563->69564 69565 4116b0 Mailbox 71 API calls 69564->69565 69566 42022a SetLastError 69565->69566 69567 420256 ~_Task_impl 69566->69567 69567->69515 69569 420265 __EH_prolog3 69568->69569 69570 411254 Mailbox 73 API calls 69569->69570 69571 420287 ~_Task_impl 69570->69571 69571->69517 69572->69526 69573->69533 69575 41d77a __EH_prolog3 69574->69575 69576 41d79a 69575->69576 69577 415adc 70 API calls 69575->69577 69578 411456 73 API calls 69576->69578 69577->69576 69579 41d7a4 ~_Task_impl 69578->69579 69579->68872 69581 416962 __EH_prolog3 69580->69581 69582 41698a 69581->69582 69583 415adc 70 API calls 69581->69583 69584 411456 73 API calls 69582->69584 69583->69582 69585 416994 ~_Task_impl 69584->69585 69585->68876 69587 4173e4 __EH_prolog3 69586->69587 69591 411492 69587->69591 69589 4173fd ~_Task_impl 69589->68905 69590->68902 69592 41149e __EH_prolog3 69591->69592 69595 4112d1 69592->69595 69594 4114c9 ~_Task_impl 69594->69589 69596 4112dd __EH_prolog3 69595->69596 69597 4112f5 GetLastError 69596->69597 69598 41130f 69597->69598 69602 4116d8 69598->69602 69601 411354 ~_Task_impl 69601->69594 69603 407470 Mailbox 71 API calls 69602->69603 69604 411328 SetLastError 69603->69604 69604->69601 69607 417267 69605->69607 69609 41725e 69605->69609 69607->69609 69615 4154be 80 API calls 69607->69615 69616 45571c 80 API calls 2 library calls 69607->69616 69609->68923 69610->68924 69611->68943 69612->68953 69613->68957 69614->68958 69615->69607 69616->69607 69618 4212f4 __EH_prolog3_GS 69617->69618 69620 421307 69618->69620 69624 421310 69618->69624 69626 421312 69618->69626 69619 401b80 Mailbox 4 API calls 69621 42135b 69619->69621 69622 411c81 Mailbox 71 API calls 69620->69622 69623 454691 __vwprintf_l 6 API calls 69621->69623 69622->69624 69625 420319 69623->69625 69624->69619 69625->68971 69627 421363 69626->69627 69628 421333 69626->69628 69629 421344 69627->69629 69630 421367 69627->69630 69628->69629 69638 414b2f 72 API calls __vwprintf_l 69628->69638 69632 4194f3 72 API calls 69629->69632 69633 4173d8 73 API calls 69630->69633 69632->69624 69634 421377 69633->69634 69635 4194f3 72 API calls 69634->69635 69636 421383 69635->69636 69637 401b80 Mailbox 4 API calls 69636->69637 69637->69624 69638->69629 69640 45066b 69639->69640 69641 45060b 69639->69641 69643 453643 __setmbcp_nolock 6 API calls 69640->69643 69641->69640 69642 450612 lstrcpyW 69641->69642 69644 450632 _wcsrchr 69642->69644 69645 413d20 69643->69645 69646 45064c lstrcpyW lstrcpyW 69644->69646 69647 45063a CharNextW 69644->69647 69649 450202 lstrlenW 69645->69649 69646->69640 69647->69646 69648 450647 69647->69648 69648->69646 69650 450236 lstrcpyW 69649->69650 69651 450218 69649->69651 69652 450241 69650->69652 69651->69650 69653 450224 lstrcpynW 69651->69653 69659 450760 69652->69659 69653->69652 69668 413be9 69656->69668 69660 450771 CharNextW 69659->69660 69661 45077d CharPrevW 69659->69661 69660->69660 69660->69661 69662 450247 lstrcatW 69661->69662 69663 45078f 69661->69663 69662->68982 69667 4516dd CharNextW CharNextW CharNextW CharNextW 69663->69667 69665 450795 69665->69662 69666 450799 CharNextW 69665->69666 69666->69662 69667->69665 69669 413bf5 __EH_prolog3_GS 69668->69669 69686 410f71 69669->69686 69671 413c0c 69690 414da8 69671->69690 69687 410f7d __EH_prolog3 69686->69687 69693 411856 69687->69693 69689 410f87 ~_Task_impl 69689->69671 69691 414dc0 69690->69691 69704 414dcf 69691->69704 69694 411862 __EH_prolog3 69693->69694 69697 413e4a 69694->69697 69696 411873 ~_Task_impl 69696->69689 69698 413e56 __EH_prolog3_catch 69697->69698 69699 455577 Mailbox 69 API calls 69698->69699 69700 413e5d 69699->69700 69702 413e6a ~_Task_impl 69700->69702 69703 452c58 69 API calls 4 library calls 69700->69703 69702->69696 69703->69702 69705 414ddf 69704->69705 69706 414e01 69705->69706 69707 414de3 69705->69707 69712 4144cd 69 API calls 2 library calls 69706->69712 69711 414d15 69 API calls __vwprintf_l 69707->69711 69710 414dff Mailbox 69712->69710 70422 448dfc __EH_prolog3 70421->70422 70430 449ed6 70422->70430 70424 448e13 ~_Task_impl 70424->69119 70426 417d88 70425->70426 70428 417d92 70425->70428 70435 417d46 4 API calls 3 library calls 70426->70435 70428->69125 70429->69082 70431 449ee7 70430->70431 70432 449eec 70431->70432 70434 449f23 69 API calls __vwprintf_l 70431->70434 70432->70424 70434->70431 70435->70428 70444 4018f0 70436->70444 70439 401c47 70441 401c63 70439->70441 70442 401c5c RegCloseKey 70439->70442 70440 401c1b RegQueryValueExW 70440->70439 70441->69139 70442->70441 70443->69137 70445 401957 RegOpenKeyExW 70444->70445 70446 40190a 70444->70446 70447 401950 70445->70447 70448 40194a 70446->70448 70449 40190f GetModuleHandleW 70446->70449 70450 401985 70447->70450 70453 401976 RegCloseKey 70447->70453 70448->70445 70448->70447 70451 401925 GetProcAddress 70449->70451 70452 40191e 70449->70452 70450->70439 70450->70440 70451->70447 70451->70452 70452->70447 70453->70450 70454->69147 70471 458fcc __mtinitlocknum 70470->70471 70472 467e1a __lock 61 API calls 70471->70472 70473 458fd3 70472->70473 70474 45908c _doexit 70473->70474 70475 459001 DecodePointer 70473->70475 70490 4590da 70474->70490 70475->70474 70477 459018 DecodePointer 70475->70477 70483 459028 70477->70483 70479 4590e9 __mtinitlocknum 70479->68332 70481 459035 EncodePointer 70481->70483 70482 4590d1 70484 458cd5 __mtinitlocknum 3 API calls 70482->70484 70483->70474 70483->70481 70485 459045 DecodePointer EncodePointer 70483->70485 70486 4590da 70484->70486 70489 459057 DecodePointer DecodePointer 70485->70489 70487 4590e7 70486->70487 70495 467f9e LeaveCriticalSection 70486->70495 70487->68332 70489->70483 70491 4590e0 70490->70491 70492 4590ba 70490->70492 70496 467f9e LeaveCriticalSection 70491->70496 70492->70479 70494 467f9e LeaveCriticalSection 70492->70494 70494->70482 70495->70487 70496->70492

              Executed Functions

              Function 0044A891 Relevance: 108.5, APIs: 26, Strings: 35, Instructions: 1791filestringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044A89B
              • CoInitialize.OLE32(00000000), ref: 0044A8B5
                • Part of subcall function 0048715C: GetVersionExW.KERNEL32(?), ref: 00487180
              • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 0044A93E
              • _memset.LIBCMT ref: 0044A9B7
              • GetCommandLineW.KERNEL32(?), ref: 0044A9D2
              • CommandLineToArgvW.SHELL32(00000000), ref: 0044A9D9
                • Part of subcall function 00449455: __EH_prolog3_GS.LIBCMT ref: 0044945F
                • Part of subcall function 00449455: _memset.LIBCMT ref: 0044948E
                • Part of subcall function 00449455: _memset.LIBCMT ref: 004494AB
                • Part of subcall function 00449455: _memset.LIBCMT ref: 004494C5
                • Part of subcall function 00449455: _memset.LIBCMT ref: 004494DF
                • Part of subcall function 00449455: _memset.LIBCMT ref: 004494F9
                • Part of subcall function 00449455: _memset.LIBCMT ref: 00449513
                • Part of subcall function 00449455: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00449524
              • CoUninitialize.COMBASE(?,00000001,clone_wait,00000000,00000001,00000001,Relaunching setup from temp,?,00000001,Setup.cpp,?,00000001), ref: 0044C659
                • Part of subcall function 0044A679: __EH_prolog3_GS.LIBCMT ref: 0044A680
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                • Part of subcall function 00403F40: GetLastError.KERNEL32(17703A82,?,?,?,?,004B39A8,000000FF), ref: 00403F82
                • Part of subcall function 00403F40: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004B39A8,000000FF), ref: 00403FDE
                • Part of subcall function 004029B0: GetLastError.KERNEL32(004CBE7C,004CBE7A,?,?,?,17703A82,?,?,004B3CC8,000000FF), ref: 00402A2B
                • Part of subcall function 004029B0: SysFreeString.OLEAUT32(?), ref: 00402A47
                • Part of subcall function 004029B0: SysFreeString.OLEAUT32(?), ref: 00402A52
                • Part of subcall function 004029B0: SetLastError.KERNEL32(?), ref: 00402A72
                • Part of subcall function 00419D16: __EH_prolog3_GS.LIBCMT ref: 00419D20
                • Part of subcall function 00419D16: SysStringLen.OLEAUT32(?), ref: 00419E46
                • Part of subcall function 00419D16: SysFreeString.OLEAUT32(?), ref: 00419E55
              • wsprintfW.USER32 ref: 0044AF1B
              • _memset.LIBCMT ref: 0044AFF3
              • lstrcpyW.KERNEL32(?,00000009,00000000,00000001,00000001,?,?,?), ref: 0044B006
              • lstrlenW.KERNEL32(?,?,?,?), ref: 0044B013
              • _memset.LIBCMT ref: 0044B07A
              • lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0044B08D
              • _memset.LIBCMT ref: 0044B0ED
              • wsprintfW.USER32 ref: 0044B101
              • GetTempPathW.KERNEL32(00000104,00000000,?,00000104,tempdisk1folder,?,00000000,00000000,removeasmajorupgrade,00000000,00000000,00000001,?), ref: 0044B251
              • lstrcpyW.KERNEL32(C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB},?,?,tempdisk1folder,?,00000000,00000000,removeasmajorupgrade,00000000,00000000,00000001,?), ref: 0044B3A1
              • lstrlenW.KERNEL32(00000000), ref: 0044B488
              • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104,?,00000000,00000000,?,00000001,00000001,?,00000000,?,00000000,?), ref: 0044B5B0
                • Part of subcall function 004202D0: __EH_prolog3_GS.LIBCMT ref: 004202D7
              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,?,?,00000000,00000000,?,00000001,00000001,?,00000000,?), ref: 0044B686
                • Part of subcall function 004160CC: __EH_prolog3.LIBCMT ref: 004160D3
                • Part of subcall function 00416071: SysStringLen.OLEAUT32(?), ref: 0041607E
                • Part of subcall function 00416071: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00416098
                • Part of subcall function 00411BD3: __EH_prolog3_GS.LIBCMT ref: 00411BDA
                • Part of subcall function 00411BD3: GetLastError.KERNEL32(00000038,004212CA), ref: 00411BE1
                • Part of subcall function 00411BD3: SetLastError.KERNEL32(00000000), ref: 00411C37
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              • CopyFileW.KERNELBASE(?,?,00000000,00000000,?,?,00000001,00000001,00000000,?,?,00000001,00000001,00000000,?,00000104), ref: 0044B7C0
                • Part of subcall function 004114D7: __EH_prolog3_GS.LIBCMT ref: 004114DE
              • CopyFileW.KERNELBASE(?,?,00000000,00000000,?,?,ISSetup.dll,00000001,00000001,00000000,?,?,ISSetup.dll,00000001,00000001,00000000), ref: 0044B8F8
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 0044F6F4: __EH_prolog3_GS.LIBCMT ref: 0044F6FE
                • Part of subcall function 0044F6F4: _memset.LIBCMT ref: 0044F731
                • Part of subcall function 0044F6F4: GetModuleFileNameW.KERNEL32(?,00000104), ref: 0044F74B
                • Part of subcall function 0044F6F4: _memset.LIBCMT ref: 0044F778
                • Part of subcall function 0044F6F4: _memset.LIBCMT ref: 0044F7C3
                • Part of subcall function 0044F6F4: GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,?), ref: 0044F7D7
                • Part of subcall function 0044F6F4: GetTempFileNameW.KERNELBASE(?,004BC35C,00000000,?,?,?,?,?,?,?,?,?), ref: 0044F7F1
              • CopyFileW.KERNELBASE(?,?,00000000,00000000,?,?,00000000,?,?), ref: 0044BA6D
              • __swprintf.LIBCMT ref: 0044BAFA
              • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BBB2
              • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BC7E
                • Part of subcall function 004193C8: __EH_prolog3.LIBCMT ref: 004193CF
                • Part of subcall function 0041B8CE: __EH_prolog3.LIBCMT ref: 0041B8D5
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 00403D20: SysStringLen.OLEAUT32(?), ref: 00403D2E
                • Part of subcall function 00403D20: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00403D48
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$_memset$String$File$H_prolog3_$Free$Copy$H_prolog3Name$ModuleTemplstrcpy$AllocCommandInitializeLinePathlstrlenwsprintf$ArgvDescriptorSecurityUninitializeVersion__swprintf
              • String ID: /IS_temp$ /debuglog$ /eprq$%s %s$%s /q"%s" /tempdisk1folder"%s" %s$%s%s$%s\%04x.mst$%s\0x%04x.ini$4$C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}$ISSetup.dll$ISSetup.dll$InstallShield setup.exe (Unicode) started, cmdline: %s$K$Languages$Relaunching setup from temp$Running after reboot$Running as remove major upgrade$Setup returning %d$Setup.cpp$Skin$Startup$clone_wait$count$debuglog$eprq$k$key%d$l/O$reboot$removeasmajorupgrade$runfromtemp$runprerequisites$setup.isn$tempdisk1folder
              • API String ID: 1409475150-2613314487
              • Opcode ID: 805e390c67370da47b0802d9a3bdfb51a1ab22a6cbaf76bc1c3df665faf232e6
              • Instruction ID: 11b0c0a79c4086cff2dfa7ac9ded622351de9110c5d15a732cfb76e11f9ee215
              • Opcode Fuzzy Hash: 805e390c67370da47b0802d9a3bdfb51a1ab22a6cbaf76bc1c3df665faf232e6
              • Instruction Fuzzy Hash: B803AE70901258DEEB20EB60CC55BEEBBB4AF15308F5440EEE14963192DB785F88DF96
              Function 00449455 Relevance: 27.2, APIs: 18, Instructions: 224COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044945F
              • _memset.LIBCMT ref: 0044948E
              • _memset.LIBCMT ref: 004494AB
              • _memset.LIBCMT ref: 004494C5
              • _memset.LIBCMT ref: 004494DF
              • _memset.LIBCMT ref: 004494F9
              • _memset.LIBCMT ref: 00449513
              • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00449524
              • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00449555
              • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00449572
              • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 0044958F
              • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 004495AC
              • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 004495CD
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memset$CreateKnownWell$DescriptorH_prolog3_InitializeSecurity
              • String ID:
              • API String ID: 4043395516-0
              • Opcode ID: f08aec7eff6c4aefe46cc67bf412c80d22f6a5390c6718333f3a2945182e11ab
              • Instruction ID: ff29950d92136a4df5fb95f24d7be31bb684dad3be6694df63312d793453c6e0
              • Opcode Fuzzy Hash: f08aec7eff6c4aefe46cc67bf412c80d22f6a5390c6718333f3a2945182e11ab
              • Instruction Fuzzy Hash: 1B91A7B1D4122DAADB21DF95CC84BDEBBBCBB08340F5041ABA509E6241DB349F85DF54
              Function 00412E9E Relevance: 18.1, APIs: 12, Instructions: 104memoryfileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 803 412e9e-412ec2 GetFileSize 804 412fa4 803->804 805 412ec8-412ecc 803->805 808 412fa6-412fb7 call 453643 804->808 806 412f52-412f69 GetProcessHeap HeapAlloc 805->806 807 412ed2-412ee9 GetProcessHeap HeapAlloc 805->807 806->804 809 412f6b-412f81 ReadFile 806->809 807->804 810 412eef-412f06 ReadFile 807->810 813 412f83-412f8d 809->813 814 412f94 809->814 815 412f95-412f9e GetProcessHeap HeapFree 810->815 816 412f0c-412f1b call 454d90 810->816 817 412f35-412f50 call 414f51 GetProcessHeap HeapFree 813->817 818 412f8f-412f92 813->818 814->815 815->804 823 412f21-412f30 call 455950 call 4121ad 816->823 824 412f1d-412f1f 816->824 817->808 818->817 823->817 824->817
              APIs
              • GetFileSize.KERNEL32(?,00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412EB7
              • GetProcessHeap.KERNEL32(00000008,00000001,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412ED8
              • HeapAlloc.KERNEL32(00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412EDF
              • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF), ref: 00412EFD
              • _strlen.LIBCMT ref: 00412F0C
              • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412F41
              • HeapFree.KERNEL32(00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412F48
              • GetProcessHeap.KERNEL32(00000008,00000003,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412F58
              • HeapAlloc.KERNEL32(00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412F5F
              • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF), ref: 00412F79
              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412F97
              • HeapFree.KERNEL32(00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412F9E
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Heap$Process$File$AllocFreeRead$Size_strlen
              • String ID:
              • API String ID: 3537955524-0
              • Opcode ID: 0e335c69c9e8a4c705d8797985e188c0371b7c5e892a795bc969df67d08881a5
              • Instruction ID: 0bbc72de3321a4c0a1c7a56d9397d728790b6aca6fcfc8c6f70cf73759b6ccfe
              • Opcode Fuzzy Hash: 0e335c69c9e8a4c705d8797985e188c0371b7c5e892a795bc969df67d08881a5
              • Instruction Fuzzy Hash: 5531AB31500204BBDB209BA9DD4CFABBBF8EF49711F010229F905C6190DB789955DB68
              Function 00486444 Relevance: 13.7, APIs: 9, Instructions: 239memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0048644E
              • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000014C,0044B27B,?), ref: 004864AA
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004864E4
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000221,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00486504
              • _memset.LIBCMT ref: 00486514
              • SetEntriesInAclW.ADVAPI32 ref: 004865AD
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AllocateInitialize$EntriesH_prolog3H_prolog3__memset
              • String ID:
              • API String ID: 2124067425-0
              • Opcode ID: 48036dfde1f8039eb669a0c828bfa89a2405418678d50598a6509e0c503596f4
              • Instruction ID: 952a4963ee3c3f2a467fd170cd9c5a9fcdb99d7ee53994570e2ed0ca3f5e3222
              • Opcode Fuzzy Hash: 48036dfde1f8039eb669a0c828bfa89a2405418678d50598a6509e0c503596f4
              • Instruction Fuzzy Hash: 69915370D002589ADB50EF95CC85FEEB7B8BF18708F4044EEE509B6251DBB85B848F69
              Function 0048C06D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 16libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1234 48c06d-48c08c GetModuleHandleW GetProcAddress 1235 48c08e-48c095 GetSystemInfo 1234->1235 1236 48c096-48c099 GetNativeSystemInfo 1234->1236
              APIs
              • GetModuleHandleW.KERNEL32(kernel32,GetNativeSystemInfo,?,00487B51,?), ref: 0048C07A
              • GetProcAddress.KERNEL32(00000000), ref: 0048C081
              • GetSystemInfo.KERNEL32(Q{H,?,00487B51,?), ref: 0048C08E
              • GetNativeSystemInfo.KERNELBASE(Q{H,?,00487B51,?), ref: 0048C096
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: InfoSystem$AddressHandleModuleNativeProc
              • String ID: GetNativeSystemInfo$Q{H$kernel32
              • API String ID: 3433367815-2005607725
              • Opcode ID: 0c93b812c10837beeceef64523a28cd2c2a715ddfeec3e465174b7ec90f29c82
              • Instruction ID: 1538a138a9e51c37b67dcc563f445cfc6f7ebf90fe5a3c95f9cc3e814f11eebd
              • Opcode Fuzzy Hash: 0c93b812c10837beeceef64523a28cd2c2a715ddfeec3e465174b7ec90f29c82
              • Instruction Fuzzy Hash: 5DD0A939144608BB9A003BF0BC08E2F3BACAA04A913000522F90880020DA7E90408A6C
              Function 00492C18 Relevance: 18.1, APIs: 12, Instructions: 138threadmemoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 765 492c18-492c51 GetCurrentThread OpenThreadToken 766 492c8e-492ca4 GetTokenInformation 765->766 767 492c53-492c5a GetLastError 765->767 768 492cb5-492cba GetLastError 766->768 769 492ca6-492cb0 call 492d72 766->769 770 492c5c-492c6f GetCurrentProcess OpenProcessToken GetLastError 767->770 771 492c71-492c74 767->771 768->769 773 492cbc-492cd8 call 455577 GetTokenInformation 768->773 781 492d62-492d63 769->781 770->771 774 492c87-492c89 771->774 775 492c76 771->775 784 492cda-492cdb 773->784 785 492cdd-492d06 AllocateAndInitializeSid 773->785 774->766 776 492c8b-492c8c 774->776 779 492c78-492c82 call 492d72 775->779 776->779 786 492d64-492d71 call 453643 779->786 781->786 787 492d4e-492d51 call 492d72 784->787 785->784 788 492d08-492d0f 785->788 795 492d56-492d60 call 4533d0 787->795 791 492d11 788->791 792 492d42-492d4b FreeSid 788->792 794 492d14-492d21 EqualSid 791->794 792->787 796 492d2d-492d31 794->796 797 492d23-492d29 794->797 795->781 800 492d3e 796->800 801 492d33-492d3c 796->801 797->794 799 492d2b 797->799 799->792 800->792 801->792 801->800
              APIs
              • GetCurrentThread.KERNEL32 ref: 00492C3C
              • OpenThreadToken.ADVAPI32(00000000), ref: 00492C43
              • GetLastError.KERNEL32 ref: 00492C53
              • GetCurrentProcess.KERNEL32(00000008,?), ref: 00492C62
              • OpenProcessToken.ADVAPI32(00000000), ref: 00492C69
              • GetLastError.KERNEL32 ref: 00492C6F
              • GetTokenInformation.KERNELBASE(?,00000002,00000000,00000000,?), ref: 00492CA0
              • GetLastError.KERNEL32 ref: 00492CB5
              • GetTokenInformation.KERNELBASE(?,00000002,00000000,?,?), ref: 00492CD4
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000223,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00492CFE
              • EqualSid.ADVAPI32(00000004,?), ref: 00492D19
              • FreeSid.ADVAPI32(?), ref: 00492D45
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Token$ErrorLast$CurrentInformationOpenProcessThread$AllocateEqualFreeInitialize
              • String ID:
              • API String ID: 884311744-0
              • Opcode ID: 7b2b2fe4250f2d25e0697f5bdf8f1a3dad44d9e7057756e93615840d5cc23429
              • Instruction ID: 60abc2d6e6213b46bf765a5ca6918da625bb530aae7b8df725df85e943767943
              • Opcode Fuzzy Hash: 7b2b2fe4250f2d25e0697f5bdf8f1a3dad44d9e7057756e93615840d5cc23429
              • Instruction Fuzzy Hash: 9641E071900209BFEF10AFA5DE49BBFBFACEF01304F10413AF501A61A1D6B89D459B28
              Function 004510E1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 86processstringCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004510EB
              • _memset.LIBCMT ref: 004510FF
              • _memset.LIBCMT ref: 00451110
              • lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00451144
              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,?,?,00000001), ref: 004511C9
              • WaitForInputIdle.USER32(?,000003E8), ref: 00451205
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memset$CreateH_prolog3_IdleInputProcessWaitlstrcpy
              • String ID: Attempting to launch (no wait): %s$Launch result %d$utils.cpp
              • API String ID: 1927448135-2306871107
              • Opcode ID: 8db4e77fd48a411e78c2cd0274cfd1c3b1004e9ca43a079ead25159d5ddfb15a
              • Instruction ID: 64abd7bd8271011ffe33f6c8c5c519c09d9a72d33cdff06146d81e7695e4b975
              • Opcode Fuzzy Hash: 8db4e77fd48a411e78c2cd0274cfd1c3b1004e9ca43a079ead25159d5ddfb15a
              • Instruction Fuzzy Hash: 33312172900118AADB20AB55CC85BDE73FCBB44305F0481EBA989A6151DE745E858FA5
              Function 0048343A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 40libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3.LIBCMT ref: 00483441
              • GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryW,00000000,00483FD6), ref: 0048345E
              • GetProcAddress.KERNEL32(00000000), ref: 00483461
              • CreateDirectoryW.KERNELBASE(?,?), ref: 00483478
              • GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryA), ref: 00483486
              • GetProcAddress.KERNEL32(00000000), ref: 00483489
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc$CreateDirectoryH_prolog3
              • String ID: CreateDirectoryA$CreateDirectoryW$kernel32.dll
              • API String ID: 662308948-2917578371
              • Opcode ID: ca11af104a98484e12c56847ca4d97cafec3493c759babe90dec43b6acee64c4
              • Instruction ID: 7c43ebcfae33dbb0d80fa6128bc444348dc91a693e45730b9e766298328a11d6
              • Opcode Fuzzy Hash: ca11af104a98484e12c56847ca4d97cafec3493c759babe90dec43b6acee64c4
              • Instruction Fuzzy Hash: 46F0A430200304BBDB11AFB5CC85E9E3764AB44F55B54462EB80297141DB3CDA45C7AD
              Function 0044E679 Relevance: 15.1, APIs: 10, Instructions: 141fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 865 44e679-44e6ba call 4546af CreateFileW 868 44e6d2-44e6e6 CreateFileMappingW 865->868 869 44e6bc-44e6cc call 404bf0 865->869 871 44e7f4-44e7fa GetLastError 868->871 872 44e6ec-44e719 call 404bf0 GetSystemInfo MapViewOfFile 868->872 869->868 869->871 873 44e7fc-44e827 call 44f33f call 404bf0 * 2 call 45467d 871->873 872->871 879 44e71f-44e732 call 44f33f 872->879 885 44e738-44e74b IsBadReadPtr 879->885 886 44e7ba 879->886 889 44e7b3-44e7b8 885->889 890 44e74d-44e753 885->890 888 44e7bd-44e7c2 886->888 892 44e7c4-44e7c8 888->892 893 44e7ca-44e7cf 888->893 889->873 890->889 894 44e755-44e75e 890->894 892->893 897 44e7d7-44e7dc 893->897 898 44e7d1-44e7d5 893->898 894->888 895 44e760-44e77d UnmapViewOfFile MapViewOfFile 894->895 899 44e78c-44e794 895->899 900 44e77f-44e789 call 44f33f 895->900 901 44e7e7-44e7ec 897->901 902 44e7de-44e7e5 897->902 898->897 899->889 906 44e796-44e7a9 IsBadReadPtr 899->906 900->899 903 44e7f0-44e7f2 901->903 904 44e7ee 901->904 902->901 903->873 904->903 906->889 908 44e7ab-44e7b1 906->908 908->888 908->889
              APIs
              • __EH_prolog3.LIBCMT ref: 0044E680
              • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,0000003C,0044E2D1,?,?,00000044,0044F763,00000008,00000010,0044D239), ref: 0044E6B0
              • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 0044E6D9
              • GetSystemInfo.KERNELBASE(000000FF), ref: 0044E6FB
              • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,?), ref: 0044E70F
              • IsBadReadPtr.KERNEL32(?,000000F8), ref: 0044E743
              • UnmapViewOfFile.KERNEL32(00000000), ref: 0044E761
              • MapViewOfFile.KERNEL32(00000008,00000004,00000000,00000000,?), ref: 0044E773
              • GetLastError.KERNEL32 ref: 0044E7F4
              • IsBadReadPtr.KERNEL32(?,000000F8), ref: 0044E7A1
                • Part of subcall function 00404BF0: CloseHandle.KERNELBASE(?,00000000,0048975B,?,0000006C,0048BECB,004881FF,?,?), ref: 00404C03
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$View$CreateRead$CloseErrorH_prolog3HandleInfoLastMappingSystemUnmap
              • String ID:
              • API String ID: 2562861213-0
              • Opcode ID: 31077dee5f8923edc430d9062c1a5e4d57a3f78e4e7a015d1bc45f5320d2d03e
              • Instruction ID: 8b898aad32ef725742a6a37fbab3d8cd386f04521a23ff26a7f590eafdbc4021
              • Opcode Fuzzy Hash: 31077dee5f8923edc430d9062c1a5e4d57a3f78e4e7a015d1bc45f5320d2d03e
              • Instruction Fuzzy Hash: CE518270A002159FEB20DFA6CC85BAEBBB4BF04714F50016AE911B72D1D7B89D05CB99
              Function 0044F6F4 Relevance: 13.7, APIs: 9, Instructions: 154filestringCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044F6FE
              • _memset.LIBCMT ref: 0044F731
              • GetModuleFileNameW.KERNEL32(?,00000104), ref: 0044F74B
                • Part of subcall function 0044D1A9: __EH_prolog3_GS.LIBCMT ref: 0044D1B0
                • Part of subcall function 0044D1A9: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0044D25D
                • Part of subcall function 0044D1A9: GetLastError.KERNEL32 ref: 0044D26B
              • _memset.LIBCMT ref: 0044F778
                • Part of subcall function 0045054A: __EH_prolog3_GS.LIBCMT ref: 00450551
              • _memset.LIBCMT ref: 0044F7C3
              • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,?), ref: 0044F7D7
              • GetTempFileNameW.KERNELBASE(?,004BC35C,00000000,?,?,?,?,?,?,?,?,?), ref: 0044F7F1
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 0041CFC8: __EH_prolog3.LIBCMT ref: 0041CFCF
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              • lstrcpyW.KERNEL32(?,004F2640,?,?,?,?,?), ref: 0044F872
              • DeleteFileW.KERNELBASE(00000000,?,?,004CBE7C,?,?,00000000,00000000), ref: 0044F92E
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$ErrorH_prolog3_Last_memset$FreeH_prolog3NameStringTemp$CreateDeleteModulePathlstrcpy
              • String ID:
              • API String ID: 1036951016-0
              • Opcode ID: b40d00e58b7ec03f516759d40193c0f3e5246b22641318ec8c531e0558d757f2
              • Instruction ID: 57b4eeb22d48b95e94d042f12da2d83c528b1230b262065d8a46ee6cf7c9c5e6
              • Opcode Fuzzy Hash: b40d00e58b7ec03f516759d40193c0f3e5246b22641318ec8c531e0558d757f2
              • Instruction Fuzzy Hash: E551407190111CAEDB60EBA4CC85EDE77B8AF14304F1001EAE509A7151EB786FD9CFA9
              Function 0044E46F Relevance: 13.6, APIs: 9, Instructions: 147fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1036 44e46f-44e48f call 4546e2 1039 44e495-44e4cd call 453660 ReadFile 1036->1039 1040 44e569-44e595 call 453660 ReadFile 1036->1040 1045 44e4cf-44e4d5 GetLastError 1039->1045 1047 44e4da-44e4e4 1039->1047 1040->1045 1046 44e59b-44e5a2 1040->1046 1050 44e66d-44e672 call 454691 1045->1050 1048 44e4e6-44e4eb 1046->1048 1049 44e5a8-44e601 call 452db9 call 453660 ReadFile 1046->1049 1047->1048 1051 44e4f0-44e564 call 4114d7 call 411c81 call 401b80 1047->1051 1048->1050 1062 44e603-44e60b GetLastError 1049->1062 1063 44e60d-44e616 1049->1063 1071 44e668-44e66b 1051->1071 1065 44e61d-44e626 call 4533d0 1062->1065 1066 44e628-44e667 call 411637 call 411c81 call 401b80 call 4533d0 1063->1066 1067 44e618 1063->1067 1065->1050 1066->1071 1067->1065 1071->1050
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044E479
              • _memset.LIBCMT ref: 0044E4A2
              • ReadFile.KERNEL32(?,?,00000138,?,00000000), ref: 0044E4C5
              • GetLastError.KERNEL32 ref: 0044E4CF
              • _memset.LIBCMT ref: 0044E570
              • ReadFile.KERNELBASE(?,00000000,00000018,?,00000000), ref: 0044E58D
              • _memset.LIBCMT ref: 0044E5DF
              • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0044E5F9
              • GetLastError.KERNEL32 ref: 0044E603
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: FileRead_memset$ErrorLast$H_prolog3_
              • String ID:
              • API String ID: 2677393532-0
              • Opcode ID: 03f53e59e9d80f7f8efd5e6eb1669a1f0fffef3ae4ec16ed4ac8b10fa65cf56f
              • Instruction ID: e69e3c41b9f8932b49764492fd32aa9e23fad2252aaef6373effe451ef6bdff3
              • Opcode Fuzzy Hash: 03f53e59e9d80f7f8efd5e6eb1669a1f0fffef3ae4ec16ed4ac8b10fa65cf56f
              • Instruction Fuzzy Hash: C5513E75A00218EFDB50DF65CC40ADEB7B8BF08354F4011AAF909E3641E7349A94CF59
              Function 00413047 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 386COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00413051
                • Part of subcall function 00412E2C: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000001,00000000,?,00000008,00000000,?,00413077,000000FF,?), ref: 00412E4F
                • Part of subcall function 00412E9E: GetFileSize.KERNEL32(?,00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412EB7
                • Part of subcall function 00412E9E: GetProcessHeap.KERNEL32(00000008,00000001,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412ED8
                • Part of subcall function 00412E9E: HeapAlloc.KERNEL32(00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412EDF
                • Part of subcall function 00412E9E: ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF), ref: 00412EFD
                • Part of subcall function 00412E9E: _strlen.LIBCMT ref: 00412F0C
                • Part of subcall function 00412E9E: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412F41
                • Part of subcall function 00412E9E: HeapFree.KERNEL32(00000000,?,00000008,00000000,?,?,?,004130B1,000000FF,?,?,000000FF,?), ref: 00412F48
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Heap$File$Process$AllocCreateFreeH_prolog3_ReadSize_strlen
              • String ID: $ hK$4hK$8hK$<hK$@hK
              • API String ID: 3764712436-1896373571
              • Opcode ID: a5ff7774364b568a051c0045ce5780e7e32af29492d2fb035b6c2f26a12a4a5a
              • Instruction ID: a41bef3a84d16267f55435936380596bd0e07c923a5f1aea64d2bfac84541f38
              • Opcode Fuzzy Hash: a5ff7774364b568a051c0045ce5780e7e32af29492d2fb035b6c2f26a12a4a5a
              • Instruction Fuzzy Hash: 9EF16E71D01258DEDB20DFA5CC85BDEBBB8AF15308F5441AEE009B7281DB781E85CB65
              Function 0044E071 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 124fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1201 44e071-44e093 call 4546af 1204 44e1b3-44e1c6 call 44f30b call 45467d 1201->1204 1205 44e099-44e0c4 VirtualQuery call 44e31d 1201->1205 1210 44e0e4-44e0f5 call 44e31d 1205->1210 1211 44e0c6-44e0c9 1205->1211 1220 44e0f7-44e108 call 44e31d 1210->1220 1221 44e10e-44e122 1210->1221 1211->1210 1213 44e0cb-44e0e2 1211->1213 1216 44e146-44e14d 1213->1216 1218 44e14f-44e153 1216->1218 1219 44e198-44e19a 1216->1219 1218->1219 1222 44e155-44e185 GetSystemInfo MapViewOfFile 1218->1222 1219->1204 1223 44e19c 1219->1223 1220->1204 1220->1221 1221->1204 1225 44e128-44e133 1221->1225 1222->1204 1226 44e187-44e195 call 44f30b 1222->1226 1227 44e19f-44e1a7 1223->1227 1225->1204 1229 44e135-44e143 1225->1229 1226->1219 1231 44e1a9 1227->1231 1232 44e1ab-44e1b1 1227->1232 1229->1216 1231->1232 1232->1204 1232->1227
              APIs
              • __EH_prolog3.LIBCMT ref: 0044E078
              • VirtualQuery.KERNEL32(?,0044E265,0000001C,0000004C,0044E265,00000008,?,0044F763,8DF633FF,?,?,?,0044E2ED,0044F763,?,00000008), ref: 0044E0A4
                • Part of subcall function 0044E31D: CompareStringA.KERNELBASE(00000400,00000001,?,00000008,00000008,000000FF,1DDCE8FF,00000000,0044F763,?,0044E0C0,.debug,0044F763,?,0044E2ED,0044F763), ref: 0044E345
              • GetSystemInfo.KERNELBASE(?,?,0044E2ED,0044F763,?), ref: 0044E159
              • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,?,0044E2ED,?,?,0044E2ED,0044F763,?), ref: 0044E17B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CompareFileH_prolog3InfoQueryStringSystemViewVirtual
              • String ID: .debug$.rdata$.text
              • API String ID: 3690134103-733372908
              • Opcode ID: 3094cd7667992896d25fd7d7c58827f563aa5da6c3f6a08190f34be1ea1ddaba
              • Instruction ID: f46627409292ae39a6f5b098cf630beb3d8dccbe7897afef774860db6035680f
              • Opcode Fuzzy Hash: 3094cd7667992896d25fd7d7c58827f563aa5da6c3f6a08190f34be1ea1ddaba
              • Instruction Fuzzy Hash: 0D418271A4020ADFEB14DF95C885AAEB7B6FF84310F15452BED1497381DB78E910CB98
              Function 0044F6E9 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • _memset.LIBCMT ref: 0044F731
              • GetModuleFileNameW.KERNEL32(?,00000104), ref: 0044F74B
              • _memset.LIBCMT ref: 0044F778
              • _memset.LIBCMT ref: 0044F7C3
              • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,?), ref: 0044F7D7
              • GetTempFileNameW.KERNELBASE(?,004BC35C,00000000,?,?,?,?,?,?,?,?,?), ref: 0044F7F1
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memset$FileNameTemp$ModulePath
              • String ID:
              • API String ID: 38856497-0
              • Opcode ID: 3599018cf8e0bc1ee803ffbafb71bf648e3ca2f62538d610afd31d1f2cd37db1
              • Instruction ID: ac01fd07f18adf3f87d211775757dd8c658a07a523352b3ed1bdf6979c5389d7
              • Opcode Fuzzy Hash: 3599018cf8e0bc1ee803ffbafb71bf648e3ca2f62538d610afd31d1f2cd37db1
              • Instruction Fuzzy Hash: 1D416F7280111CAEDB21EBA0CC85EEEB778AF54304F1001EAE509A3091EB785FD9CF65
              Function 004018F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67registrylibraryloaderCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1291 4018f0-401908 1292 401957-401964 RegOpenKeyExW 1291->1292 1293 40190a-40190d 1291->1293 1294 40196a-40196c 1292->1294 1295 40194a-40194e 1293->1295 1296 40190f-40191c GetModuleHandleW 1293->1296 1298 401995-40199b 1294->1298 1299 40196e-401974 1294->1299 1295->1292 1297 401950-401955 1295->1297 1300 401925-401933 GetProcAddress 1296->1300 1301 40191e-401923 1296->1301 1297->1294 1302 401985-401993 1299->1302 1303 401976-40197f RegCloseKey 1299->1303 1300->1297 1304 401935-401948 1300->1304 1301->1294 1302->1298 1303->1302 1304->1294
              APIs
              • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
              • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0040192B
              • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,00000000), ref: 00401964
              • RegCloseKey.ADVAPI32(00000000), ref: 00401977
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressCloseHandleModuleOpenProc
              • String ID: Advapi32.dll$RegOpenKeyTransactedW
              • API String ID: 823179699-3913318428
              • Opcode ID: 9544e8038fda6aadd3407f1f9c0a5edc40418a8e1e1406ed27deeef98cf46db5
              • Instruction ID: 6d9883065cb8061a492fa128d7442225750c744befe0f552c4aa7ed79dbc1b8c
              • Opcode Fuzzy Hash: 9544e8038fda6aadd3407f1f9c0a5edc40418a8e1e1406ed27deeef98cf46db5
              • Instruction Fuzzy Hash: 57118EB1200205EBEB208F56CC54F6BBBA9EB55700F14403AF906B72A0D7B99940DB68
              Function 0044D1A9 Relevance: 9.2, APIs: 6, Instructions: 177fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1306 44d1a9-44d229 call 4546e2 call 403870 call 44d118 call 403e90 1315 44d22f 1306->1315 1316 44d22b-44d22d 1306->1316 1317 44d231-44d242 call 44e297 1315->1317 1316->1317 1320 44d244-44d246 1317->1320 1321 44d248 1317->1321 1322 44d24a-44d269 CreateFileW 1320->1322 1321->1322 1323 44d279-44d2a2 call 453660 call 44ee57 1322->1323 1324 44d26b-44d274 GetLastError 1322->1324 1325 44d3b3-44d3be call 454691 1323->1325 1332 44d2a8-44d2c4 ReadFile 1323->1332 1324->1325 1333 44d3a2-44d3ac 1332->1333 1334 44d2ca-44d2ce 1332->1334 1333->1325 1334->1333 1335 44d2d4-44d2e1 call 44dbc2 1334->1335 1338 44d2e3-44d2ea 1335->1338 1339 44d2ec-44d2f0 1335->1339 1338->1339 1340 44d364-44d366 1338->1340 1341 44d2f4-44d301 call 44e297 1339->1341 1342 44d2f2 1339->1342 1343 44d367-44d36d 1340->1343 1351 44d306-44d319 call 44ee57 1341->1351 1352 44d303 1341->1352 1342->1341 1345 44d380 1343->1345 1346 44d36f-44d375 1343->1346 1350 44d387 1345->1350 1348 44d377-44d37e 1346->1348 1349 44d38a-44d393 call 44e675 1346->1349 1348->1350 1349->1325 1357 44d395-44d39b call 44e398 1349->1357 1350->1349 1351->1325 1358 44d31f-44d33b ReadFile 1351->1358 1352->1351 1361 44d3a0 1357->1361 1358->1325 1360 44d33d-44d341 1358->1360 1360->1325 1362 44d343-44d354 call 44dbc2 1360->1362 1361->1325 1365 44d356-44d359 1362->1365 1366 44d35b-44d362 1362->1366 1365->1343 1365->1366 1366->1343
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044D1B0
                • Part of subcall function 00403870: GetLastError.KERNEL32 ref: 0040388F
                • Part of subcall function 00403870: SetLastError.KERNEL32(?), ref: 004038BF
                • Part of subcall function 0044D118: __EH_prolog3.LIBCMT ref: 0044D11F
              • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0044D25D
              • GetLastError.KERNEL32 ref: 0044D26B
              • _memset.LIBCMT ref: 0044D287
                • Part of subcall function 0044EE57: SetFilePointer.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,0044DF8B,00000000,?,00000000,00000000), ref: 0044EE77
                • Part of subcall function 0044EE57: GetLastError.KERNEL32(?,?,?,?,0044DF8B,00000000,?,00000000,00000000), ref: 0044EE7F
              • ReadFile.KERNELBASE(0000002E,?,0000002E,?,00000000,?,?,00000000,00000000,00000044,0044F763,?), ref: 0044D2B9
                • Part of subcall function 0044DBC2: __EH_prolog3_GS.LIBCMT ref: 0044DBC9
              • ReadFile.KERNEL32(?,?,0000002E,?,00000000,?,?,00000000,00000000,?), ref: 0044D330
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFileLast$H_prolog3_Read$CreateH_prolog3Pointer_memset
              • String ID:
              • API String ID: 1186803598-0
              • Opcode ID: 002562d066bc753936e4b10c489fb342ed21d0bf80c9f78cb74a4058a0b2e4f2
              • Instruction ID: f1cc9c915c0d57ee8882fb8534b1b1efaf737ffdd73120134cc08977d48d10de
              • Opcode Fuzzy Hash: 002562d066bc753936e4b10c489fb342ed21d0bf80c9f78cb74a4058a0b2e4f2
              • Instruction Fuzzy Hash: 27616970A00340DBEF64DF69CD85B9E7BA8FF44704F1001AEED019A286D7B9D945CB5A
              Function 004083B0 Relevance: 9.2, APIs: 6, Instructions: 167fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,000000FF), ref: 0040847C
              • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00408526
              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00408553
              • CloseHandle.KERNELBASE ref: 004085D4
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$BuffersCloseCreateFlushHandleWrite
              • String ID:
              • API String ID: 4137531733-0
              • Opcode ID: c6532ecccad192d05d0cea23b12b2b17fcaaf988c9548aa108965525785ace82
              • Instruction ID: efbd2f63c7570e76f75569050f9374d620f4dc2cad63fd855a36513abd023ece
              • Opcode Fuzzy Hash: c6532ecccad192d05d0cea23b12b2b17fcaaf988c9548aa108965525785ace82
              • Instruction Fuzzy Hash: 88516C715087009FD720DF28DD84B5BB7E4BB84714F004A3EF994A72D0EB78D9098B5A
              Function 00401BE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
                • Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977
              • RegQueryValueExW.ADVAPI32(00000000,DoVerboseLogging,00000000,?,?,?), ref: 00401C3D
              • RegCloseKey.ADVAPI32(00000000), ref: 00401C5D
              Strings
              • DoVerboseLogging, xrefs: 00401C29
              • SOFTWARE\InstallShield\22.0\Professional, xrefs: 00401BED
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Close$HandleModuleQueryValue
              • String ID: DoVerboseLogging$SOFTWARE\InstallShield\22.0\Professional
              • API String ID: 2971604672-398011643
              • Opcode ID: 94932af3eb3834ecdd12c67bc80261677f023a6c190492e392f840d55a466365
              • Instruction ID: bad2eadee7d624efb20919d1bbf3e3aab3b9ecf3b90818b4236738a69546f6cd
              • Opcode Fuzzy Hash: 94932af3eb3834ecdd12c67bc80261677f023a6c190492e392f840d55a466365
              • Instruction Fuzzy Hash: 6C01717598522DEBEB10EB95C846BEFBBBCEB00704F10016AE905B2181D3795A48CBD9
              Function 0044DF10 Relevance: 6.1, APIs: 4, Instructions: 107fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044DF17
              • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000044,0044DF07,?,00000000,?,?,?,?), ref: 0044DF5E
              • GetLastError.KERNEL32 ref: 0044DF6B
              • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 0044DFE5
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CloseCreateErrorFileH_prolog3_HandleLast
              • String ID:
              • API String ID: 3060235777-0
              • Opcode ID: abae3de993cca4bb82d2f1768c22d6a8c15b2f23dce81b437412cea0bf41fe11
              • Instruction ID: 0798376b292cf178765227674a4e27467f1bad3c2790861867865eac80b962bc
              • Opcode Fuzzy Hash: abae3de993cca4bb82d2f1768c22d6a8c15b2f23dce81b437412cea0bf41fe11
              • Instruction Fuzzy Hash: A631AE70E003049FEB24DFA1C894BAEBBB5BF45714F14412EE8526B2C1DB799C0ACB18
              Function 0044ED53 Relevance: 6.1, APIs: 4, Instructions: 97fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFileLastRead_memset_strlen
              • String ID:
              • API String ID: 908522378-0
              • Opcode ID: 538927e2a01fa5041461e814a45bfa8a5c80afa1b33d0d785b052ea50103abaa
              • Instruction ID: 8dcd4795aea641e1abad95a049834353c389ac54543442ae49f53a8ad148b6f4
              • Opcode Fuzzy Hash: 538927e2a01fa5041461e814a45bfa8a5c80afa1b33d0d785b052ea50103abaa
              • Instruction Fuzzy Hash: D4316DB1600209AFEB24CF6AC884E5B7BEAFF88354B14456AF815CB211D735ED11CB64
              Function 00413588 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 273fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00413592
              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 004135C7
                • Part of subcall function 00408A90: CloseHandle.KERNELBASE(?,?,00412E65,?,00000008,00000000,?,00413077,000000FF,?), ref: 00408AA4
                • Part of subcall function 00413B31: WriteFile.KERNELBASE(?,00000008,00000000,?,00000000,00000000,?,0041362B,00000000,?,?,00000000,00000001,0000FEFF), ref: 00413B53
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$CloseCreateH_prolog3_HandleWrite
              • String ID: ]
              • API String ID: 1217578190-3462329250
              • Opcode ID: 4fceebf6922eec4669e9e7b6d137d094089c32a631cb065b067b939d6954f45b
              • Instruction ID: 1a754b2e5294efa6679a0d1fb15930197e40a2e98f6ccfaab87a59367460f961
              • Opcode Fuzzy Hash: 4fceebf6922eec4669e9e7b6d137d094089c32a631cb065b067b939d6954f45b
              • Instruction Fuzzy Hash: 4CB16EB1C00258AEDB14EBA5CC42BDEBBB8AF55308F10419EE145B7191EB782BC5CF64
              Function 00406810 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memmove
              • String ID: invalid string position$string too long
              • API String ID: 4104443479-4289949731
              • Opcode ID: 0ab526912878a681de9e9704969818e7843d585fae9bc6dd3e90022c15d1d257
              • Instruction ID: 52867d2548ecbffc30194faacf1138eeeb96fb9619d98d938fe09067c1ca3d5e
              • Opcode Fuzzy Hash: 0ab526912878a681de9e9704969818e7843d585fae9bc6dd3e90022c15d1d257
              • Instruction Fuzzy Hash: 1B410F333053108BC624AF5CE98086AF3EAFF91721321493FE442D7690E736E86587E9
              Function 00412CB7 Relevance: 4.6, APIs: 3, Instructions: 98COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00412CC1
                • Part of subcall function 0041182B: __EH_prolog3.LIBCMT ref: 00411832
              • _memset.LIBCMT ref: 00412CF5
              • _wcscpy.LIBCMT ref: 00412D0D
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3H_prolog3__memset_wcscpy
              • String ID:
              • API String ID: 776734056-0
              • Opcode ID: d9799865715bea7d586193c3f43d3dbbe580ddf12e0093f1f1ac5bb75b8cd1b1
              • Instruction ID: 734f6a2381d56bd8ab7e871b873cad169eddee8b64eb21334fe49526dfc12139
              • Opcode Fuzzy Hash: d9799865715bea7d586193c3f43d3dbbe580ddf12e0093f1f1ac5bb75b8cd1b1
              • Instruction Fuzzy Hash: D5413E7191022C9ADB60EFA5CC99BDDB7B8AF14314F1001EEA109A71A1DB785FC5CF58
              Function 00407350 Relevance: 4.6, APIs: 3, Instructions: 73memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String$AllocFree_memmove
              • String ID:
              • API String ID: 439004091-0
              • Opcode ID: 4d712b4696f95688d6407e80c8014a2df1886bc078119d99755905f4c3f45187
              • Instruction ID: 8b42c92dab40e32542374290c2271ecdb19ae668f6855f75c0c7cbed96ebd625
              • Opcode Fuzzy Hash: 4d712b4696f95688d6407e80c8014a2df1886bc078119d99755905f4c3f45187
              • Instruction Fuzzy Hash: F821E772A083019BD7248F68D4C056EB7EAEF84750320463FED92C77A0DA74B914D7A6
              Function 00455577 Relevance: 4.5, APIs: 3, Instructions: 28COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _malloc.LIBCMT ref: 0045558F
                • Part of subcall function 004576A6: __FF_MSGBANNER.LIBCMT ref: 004576BD
                • Part of subcall function 004576A6: __NMSG_WRITE.LIBCMT ref: 004576C4
                • Part of subcall function 004576A6: RtlAllocateHeap.NTDLL(006A0000,00000000,00000001,00000000,?,00000000,?,00459194,00000008,00000008,00000008,?,?,00467F03,00000018,004E4738), ref: 004576E9
              • std::exception::exception.LIBCMT ref: 004555AB
              • __CxxThrowException@8.LIBCMT ref: 004555C0
                • Part of subcall function 00454622: RaiseException.KERNEL32(?,?,00452D08,00000000,?,?,?,?,00452D08,00000000,004E40A8,?), ref: 00454673
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
              • String ID:
              • API String ID: 3074076210-0
              • Opcode ID: 3828764b03240c4aac63806525dfdd5d0ae9a2d5b2a0f141bc410d235f6e93ec
              • Instruction ID: 0d9dbcb3caa7577ce675aaccaf345b0ac0bd9aee4d6ca0d7a1b9fb0cb9e00351
              • Opcode Fuzzy Hash: 3828764b03240c4aac63806525dfdd5d0ae9a2d5b2a0f141bc410d235f6e93ec
              • Instruction Fuzzy Hash: F5E0A03480060EBACB14EF95C8119EE76A9AB0034AF10086BED0095283EBB8C64D96A9
              Function 00412BFA Relevance: 3.1, APIs: 2, Instructions: 54fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(?,?,00000400,?,00000000,?,00000000), ref: 00412C2E
              • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 00412C7B
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$PointerRead
              • String ID:
              • API String ID: 3154509469-0
              • Opcode ID: 333786f21ccca0029b6169ef758e945c40024ae9d4f4bdeba3fca19f730b7f39
              • Instruction ID: ddf34351f42a40cc06893864b2939aca202206de8b5274e04b1f782fe8d81248
              • Opcode Fuzzy Hash: 333786f21ccca0029b6169ef758e945c40024ae9d4f4bdeba3fca19f730b7f39
              • Instruction Fuzzy Hash: 82012BB06411145ADB2087348F51BFE77ACDF02310F1002A6EB52F71C1E7789E828A9C
              Function 00413DC7 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch.LIBCMT ref: 00413DCE
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
              • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413DE2
                • Part of subcall function 00452C58: std::exception::exception.LIBCMT ref: 00452C6E
                • Part of subcall function 00452C58: __CxxThrowException@8.LIBCMT ref: 00452C83
                • Part of subcall function 00452C58: __CxxThrowException@8.LIBCMT ref: 00452CA7
                • Part of subcall function 00452C58: std::exception::exception.LIBCMT ref: 00452CC0
                • Part of subcall function 00452C58: __CxxThrowException@8.LIBCMT ref: 00452CD5
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Exception@8Throw$std::exception::exception$Concurrency::details::_Concurrent_queue_base_v4::_H_prolog3_catchInternal_throw_exception_malloc
              • String ID:
              • API String ID: 3521942485-0
              • Opcode ID: 31979ca7607dbeb424dbde50a6663771a865bc387327120a91dcd1bbb7a56def
              • Instruction ID: a1d45acf809e966be0602507cae2ec4d0aebd165b9a20737cd379e7f921fb279
              • Opcode Fuzzy Hash: 31979ca7607dbeb424dbde50a6663771a865bc387327120a91dcd1bbb7a56def
              • Instruction Fuzzy Hash: DB014C70D0578ADEDB05DFAA810129EBFF0AF95304F24C0AED458AB252E3784B488B95
              Function 0044EE57 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,0044DF8B,00000000,?,00000000,00000000), ref: 0044EE77
              • GetLastError.KERNEL32(?,?,?,?,0044DF8B,00000000,?,00000000,00000000), ref: 0044EE7F
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFileLastPointer
              • String ID:
              • API String ID: 2976181284-0
              • Opcode ID: ce97929c8df6c64a842ea0534b9b5ad2717a3bdee3c853314de02d8d5ebaa807
              • Instruction ID: d5ca55d6b17343357763b1e0a5af1dda5e5322521a625ec9aed88c8b27147d59
              • Opcode Fuzzy Hash: ce97929c8df6c64a842ea0534b9b5ad2717a3bdee3c853314de02d8d5ebaa807
              • Instruction Fuzzy Hash: D3F01CB6A00218BBDB108F69DC4489B7FE9FB84360B218626FE15D7240D735DD10DBB4
              Function 00458CD5 Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___crtCorExitProcess.LIBCMT ref: 00458CDB
                • Part of subcall function 00458CA3: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,0045947B,?,?,00458CE0,00000008,?,004576D3,000000FF,0000001E,00000000,?,00000000,?,00459194), ref: 00458CB2
                • Part of subcall function 00458CA3: GetProcAddress.KERNEL32(0045947B,CorExitProcess), ref: 00458CC4
              • ExitProcess.KERNEL32 ref: 00458CE4
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ExitProcess$AddressHandleModuleProc___crt
              • String ID:
              • API String ID: 2427264223-0
              • Opcode ID: 03047f4bf741655a47ba0a9aacf428862d8339d92a74c11cb529b37c4d469b8d
              • Instruction ID: 24dca9988d4a19aed46da753ed6d55b1604fb428796d19b86093f68feb3b101d
              • Opcode Fuzzy Hash: 03047f4bf741655a47ba0a9aacf428862d8339d92a74c11cb529b37c4d469b8d
              • Instruction Fuzzy Hash: B9B09230000108BBCB022F26DC0A8893F29EB01295B008039F80408032DF76AA91AAD8
              Function 00402CA0 Relevance: 2.6, APIs: 2, Instructions: 69COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
              • SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast
              • String ID:
              • API String ID: 1452528299-0
              • Opcode ID: 7481471aa4b58a86471507387f90e649d5b0f4a701d85df070db90abdd22f7d2
              • Instruction ID: b1a053df0eef0c4a919a1c48915c57511e56e1a74c348cdccb668fd2e56de596
              • Opcode Fuzzy Hash: 7481471aa4b58a86471507387f90e649d5b0f4a701d85df070db90abdd22f7d2
              • Instruction Fuzzy Hash: 002136B5604204DFCB008F08C988B96BBE8FB48714F15826AEC099B395D779ED04CB94
              Function 0044E398 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044E39F
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
                • Part of subcall function 0044D155: __EH_prolog3.LIBCMT ref: 0044D15C
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3H_prolog3__malloc
              • String ID:
              • API String ID: 243267633-0
              • Opcode ID: 233038c40659e4f16631a65d093d9fd2f6afd023cacfdb12e1b8c74fd4967b95
              • Instruction ID: 0845b9d3b192eabbf0d731959f9defdaa38c7e57167efdccb204cf8bffd5d501
              • Opcode Fuzzy Hash: 233038c40659e4f16631a65d093d9fd2f6afd023cacfdb12e1b8c74fd4967b95
              • Instruction Fuzzy Hash: 4A219730901204DBEF15EFB6C95679E7BB5BF00314F20412EE842A71D2DB7C6A44DB18
              Function 00414190 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_catch
              • String ID:
              • API String ID: 3886170330-0
              • Opcode ID: 2a0bf6745d17dd7de5ff30f2ad8ec8ea050ef5a3d541d76248e0d48ff40b10c1
              • Instruction ID: e24f5759195094878fa64879088fed28ac160a1c2d31cc35a3a0cd0c38c06086
              • Opcode Fuzzy Hash: 2a0bf6745d17dd7de5ff30f2ad8ec8ea050ef5a3d541d76248e0d48ff40b10c1
              • Instruction Fuzzy Hash: F121D6B1A00305ABCB24DFA5C44479EB7F5AF84754F20421FE4619B3D0C774AAC1CB99
              Function 00419426 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_
              • String ID:
              • API String ID: 2427045233-0
              • Opcode ID: 99f5cede496de5884837e3bcb7dd5358ae7e76c40da2ca20694e8d916db57882
              • Instruction ID: 53f945d90a2219bd902e279cdc526fc6fb0b0921f80fced12c24b47243b89817
              • Opcode Fuzzy Hash: 99f5cede496de5884837e3bcb7dd5358ae7e76c40da2ca20694e8d916db57882
              • Instruction Fuzzy Hash: D0118F70804148EEEF11EBE0C865BEE7B78BB00308F14406FE141671D2CBB95A8DCB99
              Function 0044E297 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0044E29E
                • Part of subcall function 0044E679: __EH_prolog3.LIBCMT ref: 0044E680
                • Part of subcall function 0044E679: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,0000003C,0044E2D1,?,?,00000044,0044F763,00000008,00000010,0044D239), ref: 0044E6B0
                • Part of subcall function 0044E679: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 0044E6D9
                • Part of subcall function 0044E679: GetSystemInfo.KERNELBASE(000000FF), ref: 0044E6FB
                • Part of subcall function 0044E679: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,?), ref: 0044E70F
                • Part of subcall function 0044E679: IsBadReadPtr.KERNEL32(?,000000F8), ref: 0044E743
                • Part of subcall function 0044E679: UnmapViewOfFile.KERNEL32(00000000), ref: 0044E761
                • Part of subcall function 0044E679: MapViewOfFile.KERNEL32(00000008,00000004,00000000,00000000,?), ref: 0044E773
                • Part of subcall function 0044E679: IsBadReadPtr.KERNEL32(?,000000F8), ref: 0044E7A1
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$View$CreateH_prolog3Read$InfoMappingSystemUnmap
              • String ID:
              • API String ID: 2534712947-0
              • Opcode ID: f96a0c9a83d4a7f8d560e9bc0cf13264f6b6b8df7ec01019c26a0e943c880617
              • Instruction ID: 4208659bf2ff8d03dacef09cf20cfabb345a66aa9c1cb9375e55c06fb764aa23
              • Opcode Fuzzy Hash: f96a0c9a83d4a7f8d560e9bc0cf13264f6b6b8df7ec01019c26a0e943c880617
              • Instruction Fuzzy Hash: A3117C71C0010AEADB01EFE6C842AEEBB74BF04304F5040AAE514B7192D7795B04DBA6
              Function 00412E2C Relevance: 1.5, APIs: 1, Instructions: 40fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000001,00000000,?,00000008,00000000,?,00413077,000000FF,?), ref: 00412E4F
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 9827af8bc8e1236087341240a7e075be644ffd8599be13e057c7fffc41e8de1e
              • Instruction ID: 5f62f1415c7c232a8c475ab554dae157f0e912c0d8fe5001b76d29d4ae8b7aac
              • Opcode Fuzzy Hash: 9827af8bc8e1236087341240a7e075be644ffd8599be13e057c7fffc41e8de1e
              • Instruction Fuzzy Hash: 3EF0F631240300AFCB245F54CD45FD6B79AEB52724F20012FF6D19B2D1C6B59992C758
              Function 00413BE9 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00413BF0
                • Part of subcall function 00410F71: __EH_prolog3.LIBCMT ref: 00410F78
                • Part of subcall function 00413047: __EH_prolog3_GS.LIBCMT ref: 00413051
                • Part of subcall function 0041394A: __EH_prolog3_GS.LIBCMT ref: 00413951
                • Part of subcall function 00413588: __EH_prolog3_GS.LIBCMT ref: 00413592
                • Part of subcall function 00413588: CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 004135C7
                • Part of subcall function 00411918: __EH_prolog3.LIBCMT ref: 0041191F
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$H_prolog3$CreateFile
              • String ID:
              • API String ID: 3060330310-0
              • Opcode ID: 69dfb0de71d832316d5cb876fccf4092a5dafbefc53f31799f97353229ee6637
              • Instruction ID: dbf4b2b54f3c393b8a04756d1f093fad931c618f3b8b22ec585fe2cbe7ce9939
              • Opcode Fuzzy Hash: 69dfb0de71d832316d5cb876fccf4092a5dafbefc53f31799f97353229ee6637
              • Instruction Fuzzy Hash: A0014835820109ABCF04EFA1D8919DDB730BF54718F10001EB81163191DB786B89CB24
              Function 0044E31D Relevance: 1.5, APIs: 1, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • CompareStringA.KERNELBASE(00000400,00000001,?,00000008,00000008,000000FF,1DDCE8FF,00000000,0044F763,?,0044E0C0,.debug,0044F763,?,0044E2ED,0044F763), ref: 0044E345
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CompareString
              • String ID:
              • API String ID: 1825529933-0
              • Opcode ID: 6cef331ad9ee02186fef4d4a99ac2f00c04c349a4d445b36230fe019d20f6f3e
              • Instruction ID: 75d64c85cc3c524dd61244d48224f75619216eed9b9f0c182a89e23342285c04
              • Opcode Fuzzy Hash: 6cef331ad9ee02186fef4d4a99ac2f00c04c349a4d445b36230fe019d20f6f3e
              • Instruction Fuzzy Hash: 25F0EC3234411177D7214FA75C81AE7F799FB41B71F114222FE18971C0D675A84183E4
              Function 00413B31 Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
              Download Yara Rule
              APIs
              • WriteFile.KERNELBASE(?,00000008,00000000,?,00000000,00000000,?,0041362B,00000000,?,?,00000000,00000001,0000FEFF), ref: 00413B53
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: FileWrite
              • String ID:
              • API String ID: 3934441357-0
              • Opcode ID: 60bfe631756bc7a322db192ee8bd555a9c0306d3ac0c1cbecdf391fac41e6aba
              • Instruction ID: 44a2a949c612481166bb824d3d05eb6cf9d2c7b84c3ec555cee79c402c34a9c8
              • Opcode Fuzzy Hash: 60bfe631756bc7a322db192ee8bd555a9c0306d3ac0c1cbecdf391fac41e6aba
              • Instruction Fuzzy Hash: C0D08C32000218ABCB101E04DC05AD67BA8EF02722F000016FC0456011C374A9A09AE8
              Function 0041182B Relevance: 1.5, APIs: 1, Instructions: 13COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00411832
                • Part of subcall function 00413DC7: __EH_prolog3_catch.LIBCMT ref: 00413DCE
                • Part of subcall function 00413DC7: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413DE2
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Concurrency::details::_Concurrent_queue_base_v4::_H_prolog3H_prolog3_catchInternal_throw_exception
              • String ID:
              • API String ID: 291643738-0
              • Opcode ID: 18c801217d236abdafb0f5c8283644f431255ac3dc23a1aea7acf3ff8a94cc06
              • Instruction ID: 38fbc3103c543242aef3b7a7ad62a5b4a56ea1ad5e887862af5bd07a7c95e943
              • Opcode Fuzzy Hash: 18c801217d236abdafb0f5c8283644f431255ac3dc23a1aea7acf3ff8a94cc06
              • Instruction Fuzzy Hash: D4D05E71910611CBDB20BF69840134875A0AB40B3FF104A1EA0E04B1C2C77C15408759
              Function 0044EE41 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,?,0044E3E2,?,00000074,0044D3A0,00000000,?,?,?,?,?), ref: 0044EE4D
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 74c14f3b6436786bf2bfbd5926de71e1238744d1c0b2c08286f2899cfe1cc964
              • Instruction ID: b321e13daab85e77d711c38b8dedb2cb221797824a2bd6d6b2794a49af237e96
              • Opcode Fuzzy Hash: 74c14f3b6436786bf2bfbd5926de71e1238744d1c0b2c08286f2899cfe1cc964
              • Instruction Fuzzy Hash: 3FB09231280308B7EA202A45EC06F85BA999710B50F108021FB04280E186F36460959C
              Function 004590EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • _doexit.LIBCMT ref: 004590F9
                • Part of subcall function 00458FC0: __lock.LIBCMT ref: 00458FCE
                • Part of subcall function 00458FC0: DecodePointer.KERNEL32(004E4340,0000001C,00458ED5,00000008,00000001,00000000,?,00458E16,000000FF,?,00467E3D,00000011,00000000,?,004594E9,0000000D), ref: 0045900D
                • Part of subcall function 00458FC0: DecodePointer.KERNEL32(?,00458E16,000000FF,?,00467E3D,00000011,00000000,?,004594E9,0000000D), ref: 0045901E
                • Part of subcall function 00458FC0: EncodePointer.KERNEL32(00000000,?,00458E16,000000FF,?,00467E3D,00000011,00000000,?,004594E9,0000000D), ref: 00459037
                • Part of subcall function 00458FC0: DecodePointer.KERNEL32(-00000004,?,00458E16,000000FF,?,00467E3D,00000011,00000000,?,004594E9,0000000D), ref: 00459047
                • Part of subcall function 00458FC0: EncodePointer.KERNEL32(00000000,?,00458E16,000000FF,?,00467E3D,00000011,00000000,?,004594E9,0000000D), ref: 0045904D
                • Part of subcall function 00458FC0: DecodePointer.KERNEL32(?,00458E16,000000FF,?,00467E3D,00000011,00000000,?,004594E9,0000000D), ref: 00459063
                • Part of subcall function 00458FC0: DecodePointer.KERNEL32(?,00458E16,000000FF,?,00467E3D,00000011,00000000,?,004594E9,0000000D), ref: 0045906E
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Pointer$Decode$Encode$__lock_doexit
              • String ID:
              • API String ID: 2158581194-0
              • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
              • Instruction ID: 55a76e6079361dc8466054693e47ff9cee82c93026a353e00f2636885ada5d6f
              • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
              • Instruction Fuzzy Hash: 2CB0123258430C33D9102542FC03F053B0D4790B5CF100025FE0C2C1E3AD93766544CD
              Function 0040D5D0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • _malloc.LIBCMT ref: 0040D5DB
                • Part of subcall function 004576A6: __FF_MSGBANNER.LIBCMT ref: 004576BD
                • Part of subcall function 004576A6: __NMSG_WRITE.LIBCMT ref: 004576C4
                • Part of subcall function 004576A6: RtlAllocateHeap.NTDLL(006A0000,00000000,00000001,00000000,?,00000000,?,00459194,00000008,00000008,00000008,?,?,00467F03,00000018,004E4738), ref: 004576E9
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AllocateHeap_malloc
              • String ID:
              • API String ID: 501242067-0
              • Opcode ID: fc20b8378666ed858499636d95b5b72cae160f6b496dfe4055a72765c92624be
              • Instruction ID: 245a9b5349130949ce6def0f043ee0899f6f2f1e7d4043e2ab581e6927910aaa
              • Opcode Fuzzy Hash: fc20b8378666ed858499636d95b5b72cae160f6b496dfe4055a72765c92624be
              • Instruction Fuzzy Hash: 2EB092B380470D979B00EE99AD86C5A739CAA64634B094426BE1C8B202E535F6248696
              Function 00408A90 Relevance: 1.3, APIs: 1, Instructions: 13COMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNELBASE(?,?,00412E65,?,00000008,00000000,?,00413077,000000FF,?), ref: 00408AA4
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID:
              • API String ID: 2962429428-0
              • Opcode ID: 0bc4e08bf2da805b15829e36182cb17b6e4f57447d869d810816624678bd7d95
              • Instruction ID: 13b285a0199c13843749f5f5059b3b69050c8fbb6d50518091e5d97923d76eb6
              • Opcode Fuzzy Hash: 0bc4e08bf2da805b15829e36182cb17b6e4f57447d869d810816624678bd7d95
              • Instruction Fuzzy Hash: 87C0CA302141114AE2289F2CAC4096233D9AB85330329076EA4B4A3BE0CB388C828A58
              Function 00404BF0 Relevance: 1.3, APIs: 1, Instructions: 13COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • CloseHandle.KERNELBASE(?,00000000,0048975B,?,0000006C,0048BECB,004881FF,?,?), ref: 00404C03
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID:
              • API String ID: 2962429428-0
              • Opcode ID: ea1eb1d5133cacf1025ad2c92cf8428edf8fa80289d80cb33b97fa657cdba1fc
              • Instruction ID: d8f210156e87acecb9cd50544afb6f79305d1a09f25a7746d76b694dce2694b9
              • Opcode Fuzzy Hash: ea1eb1d5133cacf1025ad2c92cf8428edf8fa80289d80cb33b97fa657cdba1fc
              • Instruction Fuzzy Hash: C4C0127020611147E778CF59A85076323D85F84300B1A056ED841D3380D678DC40875C
              Function 00492D72 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNELBASE(?,?,00492CAF,00000000,00000000), ref: 00492D78
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID:
              • API String ID: 2962429428-0
              • Opcode ID: 0aca67bbb75b28c9f4b9d7a6f486d912bfd24a3112db75dcd9a3dd66ca1ef8ca
              • Instruction ID: 4ba30e94cbdcef46c604d1222b133a59b3d4945bd9d4ccac360c5f9db46978b7
              • Opcode Fuzzy Hash: 0aca67bbb75b28c9f4b9d7a6f486d912bfd24a3112db75dcd9a3dd66ca1ef8ca
              • Instruction Fuzzy Hash: F7B0123800414CBBCF011F51EC044E8BFADDA05164B08D061FC5C06222C73395119B94

              Non-executed Functions

              Function 00465120 Relevance: 64.4, APIs: 35, Strings: 1, Instructions: 1411COMMON
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004651AC
              • __whiteout.LIBCMT ref: 0046521B
                • Part of subcall function 00456505: __getptd_noexit.LIBCMT ref: 00456505
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Locale$UpdateUpdate::___getptd_noexit__whiteout
              • String ID: csm
              • API String ID: 4052982633-1018135373
              • Opcode ID: a363f224e05e8f04a4653cc430a5471b4e603445db691cc7fc6845a590fd56a8
              • Instruction ID: df7eb8bf06a9dc664b335fcf54154f71f9231547a0e94a9b794880e097bbdc1e
              • Opcode Fuzzy Hash: a363f224e05e8f04a4653cc430a5471b4e603445db691cc7fc6845a590fd56a8
              • Instruction Fuzzy Hash: D6C2AD71D016698BDF359B14CC987EEB7B4AB04310F6441EBE449A7391EA389EC1CF4A
              Function 00463CC5 Relevance: 53.8, APIs: 35, Instructions: 1338COMMON
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00463D51
              • __whiteout.LIBCMT ref: 00463DBC
                • Part of subcall function 00456505: __getptd_noexit.LIBCMT ref: 00456505
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Locale$UpdateUpdate::___getptd_noexit__whiteout
              • String ID:
              • API String ID: 4052982633-0
              • Opcode ID: 36bf462b7dc2893762498e534af177857278a34942b39c054f690c2cda0d70bc
              • Instruction ID: 0bd11cd2ae23bf591eba0ec03a8732d0d79eb46604e19ade87507f2b0595f40b
              • Opcode Fuzzy Hash: 36bf462b7dc2893762498e534af177857278a34942b39c054f690c2cda0d70bc
              • Instruction Fuzzy Hash: 5FB29271D052698BDF359B14CC98BEDB7B4AB85314F1440EBE449A7291EA385FC1CF0A
              Function 0042F538 Relevance: 53.7, APIs: 7, Strings: 23, Instructions: 1181windowCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch_GS.LIBCMT ref: 0042F542
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 00446414: __EH_prolog3_GS.LIBCMT ref: 0044641B
              • SendMessageW.USER32(?,00000401,00000000,00000001), ref: 0042F848
                • Part of subcall function 0043319E: __EH_prolog3_GS.LIBCMT ref: 004331A8
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeH_prolog3_String$H_prolog3_catch_MessageSend
              • String ID: 2$8/O$Attempting to get MSI 3.0 redist instead$Attempting to get file '%s' for MSI engine install$Delaying redist reboot...$Failed to get file$Got file '%s' for MSI engine install$InstallSource$MSI 3.1 needs to be installed, but is not available$MSI 3.1 to be installed, was not installed with redist package$PackageCode$PackageName$Reboot needed: %s$Reboot not suppressed, SuppressReboot not set and MSI installed$Reboot not suppressed, SuppressReboot set to N$Startup$SuppressReboot$SuppressReboot set to Yes or MSI not being installed, suppressing reboot$WindowsInstaller-KB893803-x86.exe$f$instmsi30.exe$msiaction.cpp$yes
              • API String ID: 4207100392-3853045820
              • Opcode ID: 3072283d3e4c553a6b8f4bc96a8e87639861985dbbd36c4c1a5b50d1ef35910a
              • Instruction ID: 87181bebe7bde5c1dbfa57f0a1b7fce424fffa281a30f8db68ea25b86879e07a
              • Opcode Fuzzy Hash: 3072283d3e4c553a6b8f4bc96a8e87639861985dbbd36c4c1a5b50d1ef35910a
              • Instruction Fuzzy Hash: E1B2C470A01258DEEF21DB64CD51BEEB7B8AF15304F4400EAE04967292DB785F89CF5A
              Function 0045FE04 Relevance: 29.3, APIs: 15, Strings: 1, Instructions: 1277COMMON
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0045FE5F
                • Part of subcall function 00456505: __getptd_noexit.LIBCMT ref: 00456505
              • _memset.LIBCMT ref: 00460009
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Locale$UpdateUpdate::___getptd_noexit_memset
              • String ID: X
              • API String ID: 2502719891-3081909835
              • Opcode ID: edbeac3776d6fb419d1aa158deb1156d1335d030c4aa06b142648c7e6b231f1e
              • Instruction ID: 24c8ff70840fccd4a9adf7fe9f89ba072142bcd8573e65ca72dd39f283107a17
              • Opcode Fuzzy Hash: edbeac3776d6fb419d1aa158deb1156d1335d030c4aa06b142648c7e6b231f1e
              • Instruction Fuzzy Hash: 89B26C71B003298BDB74CA18CC44BABB3B1AB56315F1441EBD409A7691E7799EC5CF0B
              Function 00496320 Relevance: 22.7, APIs: 15, Instructions: 168encryptionfileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00496327
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0049635B
              • ReadFile.KERNEL32(00000000,?,00000018,?,00000000), ref: 00496386
              • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 004963C3
              • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00008004,00000000,00000000,?), ref: 004963D9
              • CryptHashData.ADVAPI32(?,00000000,?,00000000,?,00008004,00000000,00000000,?), ref: 004963EB
              • GetLastError.KERNEL32(?,00008004,00000000,00000000,?), ref: 004963F5
              • CryptHashData.ADVAPI32(?,00000000,?,00000000,?,?,00000001,?,00008004,00000000,00000000,?), ref: 00496426
              • GetLastError.KERNEL32(?,00008004,00000000,00000000,?), ref: 00496430
              • CryptDeriveKey.ADVAPI32(?,00006801,?,00000000,?,?,00008004,00000000,00000000,?), ref: 00496450
              • GetLastError.KERNEL32(?,00008004,00000000,00000000,?), ref: 0049645A
              • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 004964AE
              • CryptImportKey.ADVAPI32(?,00000000,?,?,00000010,00000001), ref: 004964CE
              • GetLastError.KERNEL32(?,00000000,?,?,00000010,00000001), ref: 004964D8
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
              • GetLastError.KERNEL32 ref: 004964EE
                • Part of subcall function 00408A90: CloseHandle.KERNELBASE(?,?,00412E65,?,00000008,00000000,?,00413077,000000FF,?), ref: 00408AA4
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CryptErrorLast$File$HashRead$CreateData$CloseDeriveH_prolog3_HandleImport_malloc
              • String ID:
              • API String ID: 2446101899-0
              • Opcode ID: 766d8429ae9d2e80b6b4767e74f9e53e332a888511092f293a8bc46266a9a736
              • Instruction ID: 8b862e9188337f365a90a20c868112785350713ee89b1c2f7d9493a4f8b4a7ba
              • Opcode Fuzzy Hash: 766d8429ae9d2e80b6b4767e74f9e53e332a888511092f293a8bc46266a9a736
              • Instruction Fuzzy Hash: BA515771900208AFEF11AFE1CC44AEEBBB9FF04344F11413AF915A62A1DB395915CB28
              Function 0046E37B Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c03ea7349ed6ca312b99dc7af6497dc9b510d741026363ffc1ee047c61d5c29c
              • Instruction ID: 57ed48c7c971f94671361b92740e7c6751eaf31acfbc4086ec8613d17f789331
              • Opcode Fuzzy Hash: c03ea7349ed6ca312b99dc7af6497dc9b510d741026363ffc1ee047c61d5c29c
              • Instruction Fuzzy Hash: 5C326079B012288FCB24CF55DD806EAB7F5FB46314F0841DAE80A97A85E7349E81CF56
              Function 00476CDC Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00459419: __getptd_noexit.LIBCMT ref: 0045941A
                • Part of subcall function 00459419: __amsg_exit.LIBCMT ref: 00459427
              • _memset.LIBCMT ref: 00476D12
              • _TranslateName.LIBCMT ref: 00476D5D
              • _TranslateName.LIBCMT ref: 00476DA8
              • GetUserDefaultLCID.KERNEL32(?,?,00000055), ref: 00476DF5
                • Part of subcall function 00467B66: _GetTableIndexFromLcid.LIBCMT ref: 00467B93
                • Part of subcall function 00467B66: _wcsnlen.LIBCMT ref: 00467BA7
              • IsValidCodePage.KERNEL32(00000000), ref: 00476E49
              • IsValidLocale.KERNEL32(?,00000001), ref: 00476E5C
              • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 00476EAF
              • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00476EC6
              • __itow_s.LIBCMT ref: 00476ED8
                • Part of subcall function 00456BBE: _xtow_s@20.LIBCMT ref: 00456BE0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Locale$InfoNameTranslateValid$CodeDefaultFromIndexLcidPageTableUser__amsg_exit__getptd_noexit__itow_s_memset_wcsnlen_xtow_s@20
              • String ID: dJL
              • API String ID: 2025796856-3311603930
              • Opcode ID: ebeb304217c19407fe7e94f5a83f4dd3eff76138b4e14aa8fd86a05dff0d7657
              • Instruction ID: 81dce445459cea18d89a11e1bd4e191b2442be097cc0ef42fa7faba6cd902ed7
              • Opcode Fuzzy Hash: ebeb304217c19407fe7e94f5a83f4dd3eff76138b4e14aa8fd86a05dff0d7657
              • Instruction Fuzzy Hash: A4518471A006199BEB20EF65CC85AFF77B9EF04704F16442BE909D7281E778D904CB69
              Function 004589D8 Relevance: 16.7, APIs: 11, Instructions: 186COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: InfoLocale___crt__calloc_crt_free$ErrorFeatureLastPresentProcessor
              • String ID:
              • API String ID: 4163210287-0
              • Opcode ID: 490762277664b5ee103e117da2bd9ef2679ace6c2fa391c2a0a704e762d50db9
              • Instruction ID: fc318aaa5e06531083c91a3907fb11fc09686b6ae0a4b552b673da4aca775183
              • Opcode Fuzzy Hash: 490762277664b5ee103e117da2bd9ef2679ace6c2fa391c2a0a704e762d50db9
              • Instruction Fuzzy Hash: 2B51B7B1904215ABEF249F259C42FAB7B6DEF14315F10409EFD08A2243EE399D54CB69
              Function 004373F3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105filetimeCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004373FD
              • _memset.LIBCMT ref: 0043741D
              • GetTempPathW.KERNEL32(00000400,?), ref: 00437431
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
              • FindFirstFileW.KERNEL32(?,?), ref: 004374B9
              • CompareFileTime.KERNEL32(?,?), ref: 004374E3
              • DeleteFileW.KERNEL32(?,?,?,?,00000001,?,?,00000001), ref: 00437565
              • FindNextFileW.KERNEL32(00000000,?), ref: 00437582
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFileLast$FindFreeString$CompareDeleteFirstH_prolog3_NextPathTempTime_memset
              • String ID: *.mst
              • API String ID: 2018102183-516677590
              • Opcode ID: ea046a2aa42a2d7e07231dc1e750a164ba7ba6fae0a7d8d436e1a9e1e7c20222
              • Instruction ID: 9fccf28359f985ea4e6ffc479d4898e44c843914ca881295a2eed234c13463bd
              • Opcode Fuzzy Hash: ea046a2aa42a2d7e07231dc1e750a164ba7ba6fae0a7d8d436e1a9e1e7c20222
              • Instruction Fuzzy Hash: 63416F7190015DDADB20EBA4CC54BEEB7B8BF15304F1081EAE189A7091EBB85F85CF95
              Function 00450F18 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51libraryloaderCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00450F1F
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 00485DE4: __EH_prolog3_GS.LIBCMT ref: 00485DEB
              • LoadLibraryW.KERNEL32(-00000004,COMCTL32,?,00000001,00000074,0044C24F,?,00000001,clone_wait,00000000,00000001,00000001,Relaunching setup from temp,?,00000001,Setup.cpp), ref: 00450F5A
              • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00450F87
              • #17.COMCTL32 ref: 00450FA7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$AddressH_prolog3LibraryLoadProc
              • String ID: $COMCTL32$InitCommonControlsEx
              • API String ID: 1649272465-1772614818
              • Opcode ID: f9af30656044b4616b6c8ab130da0e8bfbb13377134e341a7bfa1d9a1be87986
              • Instruction ID: f48c8b41289c986376d26146d9651d0a7d160f8aaf6f3e74d4b04f068ed232e9
              • Opcode Fuzzy Hash: f9af30656044b4616b6c8ab130da0e8bfbb13377134e341a7bfa1d9a1be87986
              • Instruction Fuzzy Hash: 1B116D31C04218DBDB14EBE5CC89BDDBBB4BF01705F64016EE841A7192DB785A09CB69
              Function 00430B5D Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 159COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00430B67
              • GetVersionExW.KERNEL32(?,000001FC,00437B12,004B7104,?,?,00000001,00000000,?,dotnetfx.exe,?,00000001,isnetfx.exe,?,00000001,000001D4), ref: 00430B88
              • _wcscmp.LIBCMT ref: 00430BBB
              • _wcscmp.LIBCMT ref: 00430D3A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _wcscmp$H_prolog3_Version
              • String ID: 0$dotnetfxsp1.exe
              • API String ID: 158289-2331464614
              • Opcode ID: f2be3acf74d42081956ccdffefbecbc44e95c0e63c6349b6728093a6734f29ea
              • Instruction ID: d821835f070a3537439e284fe86b78b3b8600b281d3bc577d6b312d544c46797
              • Opcode Fuzzy Hash: f2be3acf74d42081956ccdffefbecbc44e95c0e63c6349b6728093a6734f29ea
              • Instruction Fuzzy Hash: B851917190026DDADB24DBA5CC95BEEB7B8AF15308F1001EEE409A7182DB781F89CF55
              Function 00496DB9 Relevance: 10.6, APIs: 7, Instructions: 95fileencryptionCOMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00496DD1
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
              • CryptSignHashW.ADVAPI32(?,00000002,00000000,00000000,00000000,?), ref: 00496DE7
              • GetLastError.KERNEL32 ref: 00496DF1
              • CryptSignHashW.ADVAPI32(?,00000002,00000000,00000000,?,?), ref: 00496E34
              • WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 00496E50
              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00496E60
              • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00496E94
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$CryptHashPointerSignWrite$ErrorLast_malloc
              • String ID:
              • API String ID: 1271059220-0
              • Opcode ID: 962fade4f3a80b98ee2e86d2092b119d7c347d0ba630b9be10b9ee541876a4b8
              • Instruction ID: 5c94641989e86161df17b39c65317b0b008d0b72d7659fee4285a8e7243ff47c
              • Opcode Fuzzy Hash: 962fade4f3a80b98ee2e86d2092b119d7c347d0ba630b9be10b9ee541876a4b8
              • Instruction Fuzzy Hash: 51317132240615BFEF215F61DC45FA67FA9FF04750F014136FE04AA5A0CBB6A861DB98
              Function 00476B5B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _wcscmp.LIBCMT ref: 00476B72
              • _wcscmp.LIBCMT ref: 00476B83
              • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00476E21,?,00000000), ref: 00476B9F
              • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00476E21,?,00000000), ref: 00476BC9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: InfoLocale_wcscmp
              • String ID: ACP$OCP
              • API String ID: 1351282208-711371036
              • Opcode ID: c44b8a163156d6e4f73da52d64f3ebece04421546645aadb167de0845e179e24
              • Instruction ID: 3bc73f60e2fa4d28f7040ba3c5cb8d1ebacf743144d319879442c79c56c09a18
              • Opcode Fuzzy Hash: c44b8a163156d6e4f73da52d64f3ebece04421546645aadb167de0845e179e24
              • Instruction Fuzzy Hash: 92019631201925ABDB205E55DC41FD737DD9F05756B06C02BF90CDA152D779E980878C
              Function 00489993 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50shutdownCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,0000000A,Startup,?), ref: 004899AC
              • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,?,?,?,?,?,?,?,?,00000000,0000000A,Startup,?), ref: 004899B9
              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004899D0
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004899FB
              • ExitWindowsEx.USER32(00000002,0000FFFF), ref: 00489A09
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindows
              • String ID: SeShutdownPrivilege
              • API String ID: 1314775590-3733053543
              • Opcode ID: 86439a35907816df00e44d6867c643e087125291430014abe995cf51ca2040af
              • Instruction ID: 427196502c625ee3ddd1314a170f73c6ac0e2626cb787e0d5e7b2f18bff0c9e1
              • Opcode Fuzzy Hash: 86439a35907816df00e44d6867c643e087125291430014abe995cf51ca2040af
              • Instruction Fuzzy Hash: DA011271A00219ABDB14EFA5DC4ADEFBBB8FF05705F114529E502E2280D6789A04CBA4
              Function 00446536 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69timeCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044653D
                • Part of subcall function 00403B80: GetLastError.KERNEL32 ref: 00403B9F
                • Part of subcall function 00403B80: SetLastError.KERNEL32(?), ref: 00403BCF
                • Part of subcall function 00403D20: SysStringLen.OLEAUT32(?), ref: 00403D2E
                • Part of subcall function 00403D20: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00403D48
                • Part of subcall function 0044F6F4: __EH_prolog3_GS.LIBCMT ref: 0044F6FE
                • Part of subcall function 0044F6F4: _memset.LIBCMT ref: 0044F731
                • Part of subcall function 0044F6F4: GetModuleFileNameW.KERNEL32(?,00000104), ref: 0044F74B
                • Part of subcall function 0044F6F4: _memset.LIBCMT ref: 0044F778
                • Part of subcall function 0044F6F4: _memset.LIBCMT ref: 0044F7C3
                • Part of subcall function 0044F6F4: GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,?), ref: 0044F7D7
                • Part of subcall function 0044F6F4: GetTempFileNameW.KERNELBASE(?,004BC35C,00000000,?,?,?,?,?,?,?,?,?), ref: 0044F7F1
                • Part of subcall function 00403980: GetLastError.KERNEL32(17703A82,?,00000000), ref: 004039B9
                • Part of subcall function 00403980: SetLastError.KERNEL32(00000000,?,00000000), ref: 00403A4C
                • Part of subcall function 004579C3: __wtof_l.LIBCMT ref: 004579CB
              • GetLocalTime.KERNEL32(?), ref: 004465D1
              • SystemTimeToVariantTime.OLEAUT32(?,?), ref: 004465E7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$Time_memset$FileH_prolog3_NameStringTemp$AllocLocalModulePathSystemVariant__wtof_l
              • String ID: ExpireDate$Startup
              • API String ID: 2083253037-3358940881
              • Opcode ID: a3b23ffad6cbf1512d6c570343190fe0cd1816d9d3aac25023462c21993a0424
              • Instruction ID: 5742a3eaa42325ac043f68d0c68a8546cda61c551cc7a51656b05fa26fb9c4c3
              • Opcode Fuzzy Hash: a3b23ffad6cbf1512d6c570343190fe0cd1816d9d3aac25023462c21993a0424
              • Instruction Fuzzy Hash: 712151B1D00118AFDF05EFE4C845BCEBBB8EF15304F20416AE505BB196DB785649CBA9
              Function 0049663C Relevance: 7.5, APIs: 5, Instructions: 49encryptionCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00496A5A: CryptAcquireContextW.ADVAPI32(?,?,00000000,00000001,00000010,?,?,?,?,00496659,00000000), ref: 00496A75
                • Part of subcall function 00496A5A: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,00496659,00000000), ref: 00496A7E
                • Part of subcall function 00496A5A: CryptDestroyHash.ADVAPI32(?,?,00000000,?,?,?,00496659,00000000), ref: 00496A87
              • CoCreateGuid.OLE32(?,00000000), ref: 0049665D
              • StringFromGUID2.OLE32(?,?,00000028), ref: 0049666D
              • _wcsncpy.LIBCMT ref: 0049667D
              • CryptAcquireContextW.ADVAPI32(?,?,?,00000001,00000008), ref: 0049668C
              • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000001,00000008), ref: 004966A2
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Crypt$Context$AcquireCreateHash$DestroyFromGuidReleaseString_wcsncpy
              • String ID:
              • API String ID: 396328816-0
              • Opcode ID: 5452182ea2ad4fdff90088722383fd228471f10b1c877be917a2eb631a6c23b1
              • Instruction ID: 0c1eb72f7df294b8e6b67dd8c1ef564adb2a6ecdd173626bcfb8fc65d9eb5ab9
              • Opcode Fuzzy Hash: 5452182ea2ad4fdff90088722383fd228471f10b1c877be917a2eb631a6c23b1
              • Instruction Fuzzy Hash: 99015272600208BBDB10EFE5DC89F9F7BBDFB04705F104436BA02DA195DA78AA188764
              Function 00476840 Relevance: 6.2, APIs: 4, Instructions: 173COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00459419: __getptd_noexit.LIBCMT ref: 0045941A
                • Part of subcall function 00459419: __amsg_exit.LIBCMT ref: 00459427
              • GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 00476899
              • GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 004768E6
              • GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 00476996
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: InfoLocale$__amsg_exit__getptd_noexit
              • String ID:
              • API String ID: 41668988-0
              • Opcode ID: 6100159daf059f2361e2501ea4d68d81cf670460594824cbf996553494704760
              • Instruction ID: 6a104288b6f96cb0e964fbe18a3792142fe5b59c8865a571e1a3c0f9052bfd3b
              • Opcode Fuzzy Hash: 6100159daf059f2361e2501ea4d68d81cf670460594824cbf996553494704760
              • Instruction Fuzzy Hash: 3751E2B1500A129FDB289F24CC82BB777A9EF01314F15C07BE908DA282EB7CD954CB59
              Function 0045087D Relevance: 4.5, APIs: 3, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 004508AF
              • TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 004508CA
              • IsValidLocale.KERNEL32(?,00000001), ref: 004508E2
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: InfoLocale$CharsetTranslateValid
              • String ID:
              • API String ID: 1865635962-0
              • Opcode ID: e88a8da2b18b71157007f151566c64490908d414be73710e3313fe2ca2680b6b
              • Instruction ID: 2bdf8726f584e120e8e738199ab34510dd31bd27e304f882b1f15984d43ba0f2
              • Opcode Fuzzy Hash: e88a8da2b18b71157007f151566c64490908d414be73710e3313fe2ca2680b6b
              • Instruction Fuzzy Hash: 19019234E10304EBDB00EF78DC86EAE73A8EF04756F004126F901E6292DB78D9098B9C
              Function 0049604C Relevance: 4.5, APIs: 3, Instructions: 39encryptionCOMMON
              Download Yara Rule
              APIs
              • CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000000), ref: 00496068
              • GetLastError.KERNEL32 ref: 00496072
              • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 0049609E
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CryptHashParam$ErrorLast
              • String ID:
              • API String ID: 1884520423-0
              • Opcode ID: 8df531cd28e9b01e82b65069018c1cf8f663d02a7028e2019ab7eff8e784fac6
              • Instruction ID: d2480bee60b9634bc41115ad15eab7867cdbc827cb9e3c3570d646b433cb6ba6
              • Opcode Fuzzy Hash: 8df531cd28e9b01e82b65069018c1cf8f663d02a7028e2019ab7eff8e784fac6
              • Instruction Fuzzy Hash: 74F01D75110204BBDB10DF60CC4AF9A7BF8EB00700F11452AEA1196290E776A9049B64
              Function 004969CD Relevance: 4.5, APIs: 3, Instructions: 37encryptionCOMMON
              Download Yara Rule
              APIs
              • CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000000), ref: 004969E9
              • GetLastError.KERNEL32 ref: 004969F3
              • CryptSetHashParam.ADVAPI32(?,00000002,?,00000000), ref: 00496A1B
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CryptHashParam$ErrorLast
              • String ID:
              • API String ID: 1884520423-0
              • Opcode ID: e790ead4c2a979646e0e74e0d571d0dd255566e29a4a701714410d37b9f173c1
              • Instruction ID: 574d74e38c8303f4536e4a73236e2910146e8f92899300a954e2d4329422a271
              • Opcode Fuzzy Hash: e790ead4c2a979646e0e74e0d571d0dd255566e29a4a701714410d37b9f173c1
              • Instruction Fuzzy Hash: 7AF04FB1554304FBDB20DF50DC0AF9B7FB8EB01710F11862AE902A6290E7B5A9049B64
              Function 00496A5A Relevance: 4.5, APIs: 3, Instructions: 28encryptionCOMMON
              Download Yara Rule
              APIs
              • CryptAcquireContextW.ADVAPI32(?,?,00000000,00000001,00000010,?,?,?,?,00496659,00000000), ref: 00496A75
              • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,00496659,00000000), ref: 00496A7E
              • CryptDestroyHash.ADVAPI32(?,?,00000000,?,?,?,00496659,00000000), ref: 00496A87
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Crypt$Context$AcquireDestroyHashRelease
              • String ID:
              • API String ID: 2937476097-0
              • Opcode ID: b53f6d5e88e2a0b58f78454286b7c48d0b9c6e6f5bcd83593a0223aaa6741bda
              • Instruction ID: d95170f1061ca3b7fb1b559829847831382171a91422429d3ce7f15d0d46e367
              • Opcode Fuzzy Hash: b53f6d5e88e2a0b58f78454286b7c48d0b9c6e6f5bcd83593a0223aaa6741bda
              • Instruction Fuzzy Hash: 1EE06D76100704EBD731AF66EC08D87BBFDEBC5711B010A3EB28692160D7B2A548CB64
              Function 00450BEB Relevance: 3.0, APIs: 2, Instructions: 49stringCOMMON
              Download Yara Rule
              APIs
              • lstrcpyW.KERNEL32(?,?,00000000,?), ref: 00450C12
                • Part of subcall function 004516B6: CharNextW.USER32(?,?,?,00451608,?,00000000,?,0044798B,?,0000023C,00447A77,?,?,?,004199BE,00000000), ref: 004516C6
              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 00450C50
                • Part of subcall function 00450760: CharNextW.USER32(?,?,?,?,00450247,?,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001), ref: 00450772
                • Part of subcall function 00450760: CharPrevW.USER32(?,?,?,?,?,00450247,?,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000), ref: 0045077F
                • Part of subcall function 00450760: CharNextW.USER32(00000000,?,?,00450247,?,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F), ref: 0045079A
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Char$Next$DiskFreePrevSpacelstrcpy
              • String ID:
              • API String ID: 1795153095-0
              • Opcode ID: a08fc4dc100e8368c42708f1f6ccbd24d14be52694e30e44cff988aa99ca6ce6
              • Instruction ID: 9223405407b5fe7847e40d0b9645e5ebf1f78f4efbe781228f283035f3794d6e
              • Opcode Fuzzy Hash: a08fc4dc100e8368c42708f1f6ccbd24d14be52694e30e44cff988aa99ca6ce6
              • Instruction Fuzzy Hash: 82111B7690012CABCB60DFA9CD44ACAB7FCBF08705F0482A7A985D3141DE34EA498FD4
              Function 00476740 Relevance: 3.0, APIs: 2, Instructions: 47COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00459419: __getptd_noexit.LIBCMT ref: 0045941A
                • Part of subcall function 00459419: __amsg_exit.LIBCMT ref: 00459427
              • _GetPrimaryLen.LIBCMT ref: 0047678B
              • EnumSystemLocalesW.KERNEL32(00476840,00000001,000000A0,?,?,00476DCA,00000000,?,?,?,?,?,00000055), ref: 0047679B
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: EnumLocalesPrimarySystem__amsg_exit__getptd_noexit
              • String ID:
              • API String ID: 3487593440-0
              • Opcode ID: a479ddba78e8d021848c3c8cec6cec635ed6b1122e210a1f603b5393ef743275
              • Instruction ID: 8f133bb6e768281334b9a8fad90b03b4c39b2e21bbc7e75d5528e5672e6473ee
              • Opcode Fuzzy Hash: a479ddba78e8d021848c3c8cec6cec635ed6b1122e210a1f603b5393ef743275
              • Instruction Fuzzy Hash: 9E0147324107029FEB34AF34C405BA6BBE2EF01359F21892EE49D96181D7BC6858CB48
              Function 0048829B Relevance: 3.0, APIs: 2, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004882A2
              • LoadResource.KERNEL32(?,?,00000038,004883D8,?,?,?,?,?,00000001,?,?,00420D4D,?,?,?), ref: 004882B9
                • Part of subcall function 00411637: __EH_prolog3.LIBCMT ref: 0041163E
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeLastString$H_prolog3H_prolog3_LoadResource
              • String ID:
              • API String ID: 314531869-0
              • Opcode ID: 2608fe73ed155190c5a4ce38e320e90293b92e0cde53fa695606f72882a8776b
              • Instruction ID: 10b385f4261308fa41b3d9caaa93627fb4484eb1678885cae6b8995ae51c840b
              • Opcode Fuzzy Hash: 2608fe73ed155190c5a4ce38e320e90293b92e0cde53fa695606f72882a8776b
              • Instruction Fuzzy Hash: 2401DB349041049FDB08EB90C862AFE33A5EF55704F80049FF80297292DE3CAD09E758
              Function 00476C08 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00459419: __getptd_noexit.LIBCMT ref: 0045941A
                • Part of subcall function 00459419: __amsg_exit.LIBCMT ref: 00459427
              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00476A02,00000000,00000000,?), ref: 00476C32
              • _GetPrimaryLen.LIBCMT ref: 00476C51
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: InfoLocalePrimary__amsg_exit__getptd_noexit
              • String ID:
              • API String ID: 2554324226-0
              • Opcode ID: e651d09d174524b6274b9a6ada4e411ba32a23c4f337268dc823508aca08e688
              • Instruction ID: 517714ca7fc80664924679fbcb42c1b8a6b574c1efcfd2ae7af29383e23a1b3d
              • Opcode Fuzzy Hash: e651d09d174524b6274b9a6ada4e411ba32a23c4f337268dc823508aca08e688
              • Instruction Fuzzy Hash: 97F08B32A10100BFEB256731CC05BEE7759DB00358F06803FED8DA3141E93DAD40869C
              Function 004767BD Relevance: 3.0, APIs: 2, Instructions: 31COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00459419: __getptd_noexit.LIBCMT ref: 0045941A
                • Part of subcall function 00459419: __amsg_exit.LIBCMT ref: 00459427
              • _GetPrimaryLen.LIBCMT ref: 004767EF
              • EnumSystemLocalesW.KERNEL32(00476A33,00000001,?,?,00476D94,0045D236,?,?,00000055,?,?,0045D236,?,?,?), ref: 00476802
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: EnumLocalesPrimarySystem__amsg_exit__getptd_noexit
              • String ID:
              • API String ID: 3487593440-0
              • Opcode ID: 9d29976de58d7c7a7499f3edd8d6a7ae9708493b5891791c679536d7d0b22084
              • Instruction ID: d72d200a864821bb5737429a17e9c1b939bd2f0e78c7f180bd6ba6bd8cf64b2d
              • Opcode Fuzzy Hash: 9d29976de58d7c7a7499f3edd8d6a7ae9708493b5891791c679536d7d0b22084
              • Instruction Fuzzy Hash: 00F05C31914704DFE7202B35E801FE67BD2CB02754F12C42FF84D8A181DA785C404A68
              Function 00462730 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,00000000,0045AD55,-00000328,?,?,00000000), ref: 00462735
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0046273E
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: aa7a3ee9c74fc5cf53f73d83d9ee4367b94c4fc98ef38570e9ed0e9d84ac4a72
              • Instruction ID: 4af37b82afa146b7cccdba2fdcf2d91df3bbbbe609d867e8888cbad9b1df4dbe
              • Opcode Fuzzy Hash: aa7a3ee9c74fc5cf53f73d83d9ee4367b94c4fc98ef38570e9ed0e9d84ac4a72
              • Instruction Fuzzy Hash: E0B09231044208ABCF002B91EC09BC87FA8EB04A52F015120FA0D450A18B7654508B99
              Function 00408D60 Relevance: 2.2, APIs: 1, Instructions: 693COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6a5be979373acb3397f0051f29b70df379a70c74dadb800bf39b709ad977ed1f
              • Instruction ID: ceb194c156e5339d46b42e71e93585449c3e541d439db6ec134ae1d3bafd5183
              • Opcode Fuzzy Hash: 6a5be979373acb3397f0051f29b70df379a70c74dadb800bf39b709ad977ed1f
              • Instruction Fuzzy Hash: 8F524BB1E002159FDB04CF99C5806AEBBB1BF88304F2481BED854BB392D7799D52CB95
              Function 0040D600 Relevance: 1.7, Strings: 1, Instructions: 413COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 3b85af3bdd17857dc9b8f81460857e6535e2eb9652121255c228eaa8633d076f
              • Instruction ID: 6848c26aec33beb73062acd1e581cff7ed0e438cb8616914a7eeb847483a6916
              • Opcode Fuzzy Hash: 3b85af3bdd17857dc9b8f81460857e6535e2eb9652121255c228eaa8633d076f
              • Instruction Fuzzy Hash: 9BF13C75E002188FCB24DFE8C5806ADB7B1FF89314F24817AD819AB395E739994ACB44
              Function 00476A33 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00459419: __getptd_noexit.LIBCMT ref: 0045941A
                • Part of subcall function 00459419: __amsg_exit.LIBCMT ref: 00459427
              • GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 00476A8C
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: InfoLocale__amsg_exit__getptd_noexit
              • String ID:
              • API String ID: 3113341244-0
              • Opcode ID: 3d31c4dc78fb230e22f90854d00f98070db3c73519507f0189292cb9702e0066
              • Instruction ID: 54f7d7a4f6bd59b7dff1d61b32a3e0a0c014a531534f6008eea30bd6429bd2a8
              • Opcode Fuzzy Hash: 3d31c4dc78fb230e22f90854d00f98070db3c73519507f0189292cb9702e0066
              • Instruction Fuzzy Hash: A621CF71500616ABDB249F25D842BFB37A9EB02315F11807FF80996182EBB8ED45CB59
              Function 004405EF Relevance: 1.5, APIs: 1, Instructions: 35comCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(004BCDC8,00000000,00000001,004CC0C0,?), ref: 0044061A
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CreateInstance
              • String ID:
              • API String ID: 542301482-0
              • Opcode ID: 400a3e28634d0efb15d8140e23f4f4b700d11b82ce9b14c0870ea52dd4c3b583
              • Instruction ID: 6861829c558fc0504898e7c7917e59535f59c9a854e224ced7cbef5fe138ed3f
              • Opcode Fuzzy Hash: 400a3e28634d0efb15d8140e23f4f4b700d11b82ce9b14c0870ea52dd4c3b583
              • Instruction Fuzzy Hash: 50F0E972340221A793304F49D8C0E43FB98EFD9B60711012BFA099B240C7759C31CBE9
              Function 00450902 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
              Download Yara Rule
              APIs
              • GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 00450924
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: InfoLocale
              • String ID:
              • API String ID: 2299586839-0
              • Opcode ID: df6238738cf2f997ad3235ff7b3739ac08862ff99e853c09f3eaa81a32a71bdf
              • Instruction ID: 0670a02ce16245ad8f5785fe6a97868da33b2e636985b20367bcd99c3b19d972
              • Opcode Fuzzy Hash: df6238738cf2f997ad3235ff7b3739ac08862ff99e853c09f3eaa81a32a71bdf
              • Instruction Fuzzy Hash: 9EF08271A00108ABDB00EFB898419D973E8AB08715B40442AE911D7192EA74DA049B58
              Function 00467C20 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • EnumSystemLocalesW.KERNEL32(00467C0C,00000001,?,00475F81,0047601F,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00467C4E
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: EnumLocalesSystem
              • String ID:
              • API String ID: 2099609381-0
              • Opcode ID: ed38978e1c0d2a1a446c74798cf5693de37eec4ac34103490edf17c39862bf17
              • Instruction ID: a318c78ff01f05e1b7b120eda2ea4bbd0110cf22538186891ad24714b0f5a1aa
              • Opcode Fuzzy Hash: ed38978e1c0d2a1a446c74798cf5693de37eec4ac34103490edf17c39862bf17
              • Instruction Fuzzy Hash: D5E04632140208AFDF11AFA0EC81BA93BE4FB48725F114421F6184A5A0C776A560CF4C
              Function 00467CA6 Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLocaleInfoW.KERNEL32(00000000,?,00000002,?,?,00458BC3,?,?,?,00000002), ref: 00467CCD
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: InfoLocale
              • String ID:
              • API String ID: 2299586839-0
              • Opcode ID: 79cc2c6a1008b897b4cbd52782d7a1625d63296d97cd56cbb9522f122eba524c
              • Instruction ID: 74e6fffb95001a0316c3564aac777fddf405aa31bc8eb1e11d727c8d3676f6ee
              • Opcode Fuzzy Hash: 79cc2c6a1008b897b4cbd52782d7a1625d63296d97cd56cbb9522f122eba524c
              • Instruction Fuzzy Hash: A9D05E72008509BFCF01AFD4FC45CBA3BADFB08328B048415F9184A221E636F470DB29
              Function 00496296 Relevance: 1.5, APIs: 1, Instructions: 16encryptionCOMMON
              Download Yara Rule
              APIs
              • CryptImportKey.ADVAPI32(?,?,?,00000000,?,?,?,0049623C,?,?,?), ref: 004962AA
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CryptImport
              • String ID:
              • API String ID: 365355273-0
              • Opcode ID: 9ba221486bf447a7756e4fa55fc9b4ba1e4dba021ba1a93d4fddfebe41a3c925
              • Instruction ID: 73119fdeae96873957e3efd41c47a8a0d88ec6a2d864f0183a59c6e0da8fa8d4
              • Opcode Fuzzy Hash: 9ba221486bf447a7756e4fa55fc9b4ba1e4dba021ba1a93d4fddfebe41a3c925
              • Instruction Fuzzy Hash: 65D0C93719410DBFDF01AFA4DC00EA97B6EEB24704F108125BB1DC90A0D633E525EB54
              Function 00495DC9 Relevance: 1.5, APIs: 1, Instructions: 15encryptionCOMMON
              Download Yara Rule
              APIs
              • CryptExportKey.ADVAPI32(?,00000000,00000006,?,?,?), ref: 00495DDC
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CryptExport
              • String ID:
              • API String ID: 3389274496-0
              • Opcode ID: 3feafdae05b2d280403ef30c4bfdc3bb0a6a23186d7ae98da4159f7448dfdedf
              • Instruction ID: abbcc1d2d970f87eb4f7bc5b35dbbdd2263e68fe88594b9c1e91444bb1ece720
              • Opcode Fuzzy Hash: 3feafdae05b2d280403ef30c4bfdc3bb0a6a23186d7ae98da4159f7448dfdedf
              • Instruction Fuzzy Hash: 2DD0C93619420DBBDF116FA5DC01F597B2AEB24750F008124B61A890A0C6739431AB44
              Function 0049620A Relevance: 1.5, APIs: 1, Instructions: 12encryptionCOMMON
              Download Yara Rule
              APIs
              • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00496218
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CryptDataHash
              • String ID:
              • API String ID: 4245837645-0
              • Opcode ID: 82546cab7b95529bae9b377b9aadedfe97e0d5d5bcc611eefb136cda7647d0c0
              • Instruction ID: 739d2985c4d30d91557811c120d31298fae079697a7f8bf2eefd098b5bcfdcf6
              • Opcode Fuzzy Hash: 82546cab7b95529bae9b377b9aadedfe97e0d5d5bcc611eefb136cda7647d0c0
              • Instruction Fuzzy Hash: 6FC012321A420DBBCF016EA5DC01E943B2AAB24711F208220B609880E0C633A020AB54
              Function 0046270D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00462713
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 0f637ef280f96eef964ec23177807bef704025f05e22f3812c598148fc9511eb
              • Instruction ID: e64df398cb85b3b613f9034364487c67ecaf664c70b4db4509933e8ff8075ddd
              • Opcode Fuzzy Hash: 0f637ef280f96eef964ec23177807bef704025f05e22f3812c598148fc9511eb
              • Instruction Fuzzy Hash: 75A0113000020CAB8F002B82EC088C83FACEB00AA2B000020F80C000208B32A8A08A88
              Function 00498C92 Relevance: .7, Instructions: 666COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 57cb34c926d77861ecb3e857d9f7b18645f510fb0609e25a2397e3db2cf7179e
              • Instruction ID: 3b9c849e40d49af7fae464409db94a860402bc3dab5969a53e641220fe49ef26
              • Opcode Fuzzy Hash: 57cb34c926d77861ecb3e857d9f7b18645f510fb0609e25a2397e3db2cf7179e
              • Instruction Fuzzy Hash: F11278B7F9161447DB0CCA99CCA27EDB2E3AFD4218B0E913DA80AE3745EE7DD8054644
              Function 0040C980 Relevance: .4, Instructions: 399COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9b4662c194f571484b4bea76932bbc0c72e59642c79b4f9482524b79a5f7474c
              • Instruction ID: 7089a1edd450a7e8ae305f209044edc23255945e8d601f2667d1b10b6f3519bf
              • Opcode Fuzzy Hash: 9b4662c194f571484b4bea76932bbc0c72e59642c79b4f9482524b79a5f7474c
              • Instruction Fuzzy Hash: 43E1A631A04655DFCB08CF6CC5C06ADBBF2FF89300F24826AD459EB382D6399A46DB54
              Function 0040D090 Relevance: .2, Instructions: 210COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 15d2083d58af7ceb4a6e13938219ca15d5293058a8a348a8bf9db9e75ea0d307
              • Instruction ID: 577a2018585059d8d08ce8e7cb2952c7cdd7a59721f950c4b4eead5e62c59cd8
              • Opcode Fuzzy Hash: 15d2083d58af7ceb4a6e13938219ca15d5293058a8a348a8bf9db9e75ea0d307
              • Instruction Fuzzy Hash: 2971DB31B204565BE798DF1FEC94A393392E7C5350B894A39CA01C379AC738E921E7D8
              Function 0040CDD0 Relevance: .2, Instructions: 189COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9812e1d05b5a8d4a9b4f835ce01b288051ddf9270f600eda6d3d21d896f6cfae
              • Instruction ID: 145b600864321e989587d7896439a84274ca5c1778aefebbada77ce71435c2fc
              • Opcode Fuzzy Hash: 9812e1d05b5a8d4a9b4f835ce01b288051ddf9270f600eda6d3d21d896f6cfae
              • Instruction Fuzzy Hash: 8671E731E205555BE798EF1EECD4E363352EB89300B894239DA09C739DC539EA22D798
              Function 00409482 Relevance: .2, Instructions: 174COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ebb202efc4706e5023142355143525edb23f3217c2c96fe2684d3223c32f205e
              • Instruction ID: a343cebbc4463c38e2c7cc1c64797311f78d318a0937be7ae6bcbd47dea148e9
              • Opcode Fuzzy Hash: ebb202efc4706e5023142355143525edb23f3217c2c96fe2684d3223c32f205e
              • Instruction Fuzzy Hash: 27615BB2E002158BCB18CF59C9802ADFBB1FF89314F2481BED819AB795C7758E51DB85
              Function 0040D3F0 Relevance: .1, Instructions: 134COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0499db512783c090c8de6c2a309b3ceb87a2446daeff2d96906ad2b0f94d0b17
              • Instruction ID: 8a9294356b09e3afc6836899642950ad46e30a2929c30f1044ec4e15d88571c4
              • Opcode Fuzzy Hash: 0499db512783c090c8de6c2a309b3ceb87a2446daeff2d96906ad2b0f94d0b17
              • Instruction Fuzzy Hash: 11418571E0011857EB28CE99DD807EF7354AB54308F55857BCE4AB73C0DAB9EC4A8B84
              Function 0040D438 Relevance: .1, Instructions: 113COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c23b4284aeb90cd012231d213ddc2fd9714c34e26367a5b20777ac01fc083c8e
              • Instruction ID: 238634a36bf034757def663a822ca7c5759c635f49910e78ca166e0e2340deb1
              • Opcode Fuzzy Hash: c23b4284aeb90cd012231d213ddc2fd9714c34e26367a5b20777ac01fc083c8e
              • Instruction Fuzzy Hash: E6416332E0051457EB28CE99DD907EF7351AB54348F49857BCE4AB73C0DAB9EC4A8A84
              Function 0040D476 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ac5a4de6c493d616d3ca9707a9155293715155852ffdf739260b14de7879d5cc
              • Instruction ID: 2b36556f336bff256e22061b757fd0af286cf4f4a51d78c34205dfea3c73a363
              • Opcode Fuzzy Hash: ac5a4de6c493d616d3ca9707a9155293715155852ffdf739260b14de7879d5cc
              • Instruction Fuzzy Hash: 04318631E0010457EB28CE99DD907EF7350AB54348F49857BCE4AA73C0DAB9ED4A8A84
              Function 0040D4B6 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2bfaff20f6b693bcb30a82896a9fecc9d74489f2272d18c9a6095062589e250b
              • Instruction ID: 6d9c46a090447547182e33f792d31971e7c1057f701d8ff6250f83809969d6b6
              • Opcode Fuzzy Hash: 2bfaff20f6b693bcb30a82896a9fecc9d74489f2272d18c9a6095062589e250b
              • Instruction Fuzzy Hash: 8721A731E0010457EB28CED8DCD07EB7360AB50348F58857BCE4AA73C1DAB9ED4A8A44
              Function 0049E300 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
              • Instruction ID: aa8d52418a066ab87ca78dcbb80747c853bdb0150067b0f0c86155cd81feb898
              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
              • Instruction Fuzzy Hash: EE117D77200082C3DE34CA3FC4B46BBEF96EBC632072C437BD8454BB48D62AD941A508
              Function 00495C46 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8338693fb0c6edb53bb56aa9958e8839b8d4d08abd99e3f8ecad0ebf5c874056
              • Instruction ID: 8ed56cab19917832935f1d9acb9fc3f7fa28c0434c681a7f260e0fc5f792a20c
              • Opcode Fuzzy Hash: 8338693fb0c6edb53bb56aa9958e8839b8d4d08abd99e3f8ecad0ebf5c874056
              • Instruction Fuzzy Hash: E1D01231211212CBEB315E25EC4479277E4AB00711F39043E90C0B5294D7BD9DC0C758
              Function 00495C7E Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e2db3e28bbc7ca6c132104cb0e1addad68744c78e5d0496a3f8b9d3966fca87
              • Instruction ID: 667bee28f806126770c43c532e42deebcbcc7d9777f2680d79feff11ba3f6ac2
              • Opcode Fuzzy Hash: 1e2db3e28bbc7ca6c132104cb0e1addad68744c78e5d0496a3f8b9d3966fca87
              • Instruction Fuzzy Hash: AAC012311102118BDB315E18F80079177D45B00391F25083EA084812D0E77C8CC0C744
              Function 00495C98 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d55ecea9b66f40bf3347f27bbf2536fbb9e5ff0e94f7432ba38606dd52e97c5
              • Instruction ID: adbc3ec4b30e5dae5bc112395f2be2facc8d5cfbab7f411ae233057bf9831914
              • Opcode Fuzzy Hash: 3d55ecea9b66f40bf3347f27bbf2536fbb9e5ff0e94f7432ba38606dd52e97c5
              • Instruction Fuzzy Hash: 89C08031111211CFDB315F15E80079277D45F00311F35043E94C0D1250D77C8CC0C788
              Function 004021C0 Relevance: 84.4, APIs: 44, Strings: 4, Instructions: 404timeCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32 ref: 0040221F
              • SetLastError.KERNEL32(004CC554), ref: 00402262
                • Part of subcall function 00403D20: SysStringLen.OLEAUT32(?), ref: 00403D2E
                • Part of subcall function 00403D20: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00403D48
              • GetDateFormatW.KERNEL32(00000800,00000000,00000000,M-d-yyyy,00000000,00000080), ref: 004022AA
                • Part of subcall function 00403980: GetLastError.KERNEL32(17703A82,?,00000000), ref: 004039B9
                • Part of subcall function 00403980: SetLastError.KERNEL32(00000000,?,00000000), ref: 00403A4C
              • GetLastError.KERNEL32 ref: 004022D1
              • SetLastError.KERNEL32(004CC554), ref: 00402305
                • Part of subcall function 00403D20: _wmemcpy_s.LIBCMT ref: 00403D75
              • GetTimeFormatW.KERNEL32(00000800,00000000,00000000,hh':'mm':'ss tt,00000000,00000080,?,00000080), ref: 0040234A
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 00403040: GetLastError.KERNEL32(17703A82,?,74DEE010), ref: 0040308E
                • Part of subcall function 00403040: SetLastError.KERNEL32(004CC554,00000000,00000000,000000FF,?,74DEE010), ref: 004030E4
                • Part of subcall function 00403040: GetLastError.KERNEL32(?,?,74DEE010), ref: 00403130
                • Part of subcall function 00403040: SysFreeString.OLEAUT32(004CC554), ref: 00403148
                • Part of subcall function 00403040: SysFreeString.OLEAUT32(00000007), ref: 00403153
                • Part of subcall function 00403040: SetLastError.KERNEL32(?), ref: 00403173
                • Part of subcall function 00403330: GetLastError.KERNEL32 ref: 00403393
                • Part of subcall function 00403330: SetLastError.KERNEL32(004CC554,00000000,00000000,000000FF), ref: 004033F6
                • Part of subcall function 00403040: GetLastError.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 00403263
                • Part of subcall function 00403040: SetLastError.KERNEL32(?,00000007,00000000,000000FF), ref: 004032B7
                • Part of subcall function 00403040: GetLastError.KERNEL32 ref: 004032C4
                • Part of subcall function 00403040: SysFreeString.OLEAUT32(00000000), ref: 004032E0
                • Part of subcall function 00402DA0: GetLastError.KERNEL32 ref: 00402E05
                • Part of subcall function 00402DA0: SetLastError.KERNEL32(004CC554,00000000,00000000,000000FF), ref: 00402E65
                • Part of subcall function 00402DA0: GetLastError.KERNEL32 ref: 00402E8E
                • Part of subcall function 00402DA0: SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00402EEE
                • Part of subcall function 00402DA0: GetLastError.KERNEL32 ref: 00402F0E
              • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,00000001,?,?,?,00000001), ref: 00402407
              • SysFreeString.OLEAUT32(?), ref: 0040242B
              • SysFreeString.OLEAUT32(?), ref: 0040243E
              • SetLastError.KERNEL32(?), ref: 00402471
              • GetLastError.KERNEL32 ref: 00402486
              • SysFreeString.OLEAUT32(?), ref: 004024A4
              • SysFreeString.OLEAUT32(?), ref: 004024B7
              • SetLastError.KERNEL32(?), ref: 004024EA
              • GetLastError.KERNEL32 ref: 004024FF
              • SysFreeString.OLEAUT32(?), ref: 0040251D
              • SysFreeString.OLEAUT32(?), ref: 00402530
              • SetLastError.KERNEL32(?), ref: 00402563
              • GetLastError.KERNEL32 ref: 00402578
              • SysFreeString.OLEAUT32(?), ref: 00402596
              • SysFreeString.OLEAUT32(?), ref: 004025A9
              • SetLastError.KERNEL32(?), ref: 004025DC
              • GetLastError.KERNEL32 ref: 004025F1
              • SysFreeString.OLEAUT32(?), ref: 0040260F
              • SysFreeString.OLEAUT32(?), ref: 00402622
              • SetLastError.KERNEL32(?), ref: 00402655
              • GetLastError.KERNEL32 ref: 0040266D
              • SetLastError.KERNEL32(004CC554), ref: 004026C0
              • GetLastError.KERNEL32 ref: 00402785
              • SysFreeString.OLEAUT32(?), ref: 004027A3
              • SysFreeString.OLEAUT32(?), ref: 004027B6
              • SetLastError.KERNEL32(?), ref: 004027E9
              • GetLastError.KERNEL32 ref: 004027FE
              • SysFreeString.OLEAUT32(?), ref: 0040281C
              • SysFreeString.OLEAUT32(?), ref: 0040282F
              • SetLastError.KERNEL32(?), ref: 00402862
              • GetLastError.KERNEL32 ref: 00402871
              • SysFreeString.OLEAUT32(?), ref: 00402889
              • SysFreeString.OLEAUT32(?), ref: 00402896
              • SetLastError.KERNEL32(?), ref: 004028BA
              • GetLastError.KERNEL32 ref: 004028CF
              • SysFreeString.OLEAUT32(?), ref: 004028E7
              • SysFreeString.OLEAUT32(?), ref: 004028F4
                • Part of subcall function 004037E0: vswprintf.LIBCMT ref: 00403841
              • SetLastError.KERNEL32(?), ref: 00402918
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$String$Free$Format$AllocDateTime_wmemcpy_svswprintf
              • String ID: %s[%s]: %s$%s[%s]: %s -- File: %s, Line: %d$M-d-yyyy$hh':'mm':'ss tt
              • API String ID: 1140557624-1641453432
              • Opcode ID: 619621e4b2be97d6fbb2c89f2956ace48e57464b32298e66e27962b3da6e997a
              • Instruction ID: 04c6e1eb73be5296b3a9a543192cee9b96f244dc5699e626a7ab626daf677b08
              • Opcode Fuzzy Hash: 619621e4b2be97d6fbb2c89f2956ace48e57464b32298e66e27962b3da6e997a
              • Instruction Fuzzy Hash: 5412F570508380DFD761DF29C849B9EBBE4BF89308F00892DE98C972A1DB75A844CF56
              Function 0042A0F9 Relevance: 73.8, APIs: 41, Strings: 1, Instructions: 334windowtimeCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0042A103
              • SetBkMode.GDI32(?,00000001), ref: 0042A16B
              • GetDlgCtrlID.USER32(?), ref: 0042A172
              • GetStockObject.GDI32(00000005), ref: 0042A198
              • SendMessageW.USER32(00000405,00000000,00000000,000000D8), ref: 0042A1C8
              • PostMessageW.USER32(00000000,00008032,00000000,00000000), ref: 0042A21D
              • SetWindowTextW.USER32(?,-00000004), ref: 0042A277
              • SetTimer.USER32(?,000003E9,000000FA,00000000), ref: 0042A299
              • GetDlgItem.USER32(?,000003E9), ref: 0042A2A7
              • GetDlgItem.USER32(?,000003EB), ref: 0042A2B1
              • GetDlgItem.USER32(?,0000012D), ref: 0042A2BB
              • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 0042A2D0
              • GetDlgItem.USER32(?,000003EE), ref: 0042A31F
              • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 0042A32E
              • GetObjectW.GDI32(00000000,0000005C,?), ref: 0042A343
              • GetDC.USER32(00000000), ref: 0042A34A
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042A355
              • ReleaseDC.USER32(00000000,00000000), ref: 0042A36C
              • GetDlgItem.USER32(?,00000409), ref: 0042A4E9
              • GetClientRect.USER32(00000000,?), ref: 0042A4FA
              • GetClientRect.USER32(?,?), ref: 0042A501
              • GetStockObject.GDI32(00000000), ref: 0042A51E
              • FillRect.USER32(?,?,00000000), ref: 0042A52A
              • GetSysColor.USER32(0000000F), ref: 0042A532
              • GetSysColorBrush.USER32(00000000), ref: 0042A53F
              • CreateSolidBrush.GDI32(?), ref: 0042A551
              • FillRect.USER32(?,?,00000000), ref: 0042A577
              • DeleteObject.GDI32(00000000), ref: 0042A57E
              • DeleteObject.GDI32(000000D8), ref: 0042A595
              • DeleteObject.GDI32 ref: 0042A5A6
              • DeleteObject.GDI32 ref: 0042A5AE
              • DeleteObject.GDI32 ref: 0042A5B6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Object$DeleteItem$MessageRect$Send$BrushClientColorFillStock$CapsCreateCtrlDeviceH_prolog3_ModePostReleaseSolidTextTimerWindow
              • String ID: Tahoma
              • API String ID: 1993185436-3580928618
              • Opcode ID: e6942ee662d678910c45ad0a45801a23d554f0e4b5f333a04df8c3ddf924b630
              • Instruction ID: c0d8643adae7d448438ff73198cfef079e01f8af312d94183765738a028d05a5
              • Opcode Fuzzy Hash: e6942ee662d678910c45ad0a45801a23d554f0e4b5f333a04df8c3ddf924b630
              • Instruction Fuzzy Hash: BBC1A1B1901224FFDB10AB64ED49FBE3BB8EB04311F010566F905A61F1C7789964CF69
              Function 0046B4E9 Relevance: 60.4, APIs: 40, Instructions: 363COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • operator+.LIBCMT ref: 0046B502
                • Part of subcall function 00468AAD: DName::DName.LIBCMT ref: 00468ABE
                • Part of subcall function 00468AAD: DName::operator+.LIBCMT ref: 00468AC5
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: NameName::Name::operator+operator+
              • String ID:
              • API String ID: 2937105810-0
              • Opcode ID: f2f168840f7292c12d7729fea5f2682f1676c7bc5c9f64615fe64bc3d6b00752
              • Instruction ID: 0778643eb179687021268c56b5ff2bd6a6d66fcf9b496726dd01e9bb846866de
              • Opcode Fuzzy Hash: f2f168840f7292c12d7729fea5f2682f1676c7bc5c9f64615fe64bc3d6b00752
              • Instruction Fuzzy Hash: 94D12175900209AFCB00EFA5D891AEE7BF8EF44304F14415FE505E7291EB789A85CB9A
              Function 004178EF Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 292threadinjectionprocessCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 004160CC: __EH_prolog3.LIBCMT ref: 004160D3
                • Part of subcall function 00416071: SysStringLen.OLEAUT32(?), ref: 0041607E
                • Part of subcall function 00416071: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00416098
              • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104,17703A82,?,00000000,00000000,00000000,0049FF5E,000000FF,?,00412519,00000001,C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}), ref: 0041797D
                • Part of subcall function 00411BD3: __EH_prolog3_GS.LIBCMT ref: 00411BDA
                • Part of subcall function 00411BD3: GetLastError.KERNEL32(00000038,004212CA), ref: 00411BE1
                • Part of subcall function 00411BD3: SetLastError.KERNEL32(00000000), ref: 00411C37
                • Part of subcall function 00416398: __EH_prolog3_GS.LIBCMT ref: 004163A2
                • Part of subcall function 00411456: __EH_prolog3.LIBCMT ref: 0041145D
                • Part of subcall function 0048376D: __EH_prolog3_GS.LIBCMT ref: 00483777
              • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00417A60
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00417A93
              • _memset.LIBCMT ref: 00417AB8
              • _memset.LIBCMT ref: 00417AD0
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000044,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00417AF4
              • _memset.LIBCMT ref: 00417B15
              • _wcsncpy.LIBCMT ref: 00417B88
                • Part of subcall function 0048376D: GetLastError.KERNEL32 ref: 0048380C
                • Part of subcall function 0048376D: GetLastError.KERNEL32 ref: 004838CB
                • Part of subcall function 0048376D: __CxxThrowException@8.LIBCMT ref: 0048393B
              • _wcsncpy.LIBCMT ref: 00417BB3
              • GetCurrentProcess.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000C31,?,?,?,?,?), ref: 00417BD1
              • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,00000000,00000C31,?,?,?,?,?,00000000), ref: 00417BD4
              • DuplicateHandle.KERNEL32(00000000,?,?,?,?,00000000,00000C31,?,?,?,?,?,00000000), ref: 00417BD7
              • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,00000000,00000C31,?,?,?,?,?,00000000), ref: 00417BF7
              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000C31,?,?,?,?,?,00000000), ref: 00417C03
              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000C31,?,?,?,?,?,00000000), ref: 00417C0B
              • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00417C25
              • _memmove.LIBCMT ref: 00417C39
              • GetThreadContext.KERNEL32 ref: 00417C58
              • VirtualProtectEx.KERNEL32(?,?,00000C35,00000040,?), ref: 00417C9A
              • WriteProcessMemory.KERNEL32(?,?,?,00000C35,00000000), ref: 00417CB5
              • FlushInstructionCache.KERNEL32(?,?,00000C35), ref: 00417CC3
              • SetThreadContext.KERNEL32(?,00010003), ref: 00417CD6
              • ResumeThread.KERNEL32(?), ref: 00417CE2
              • CloseHandle.KERNEL32(?), ref: 00417CEE
              • CloseHandle.KERNEL32(?), ref: 00417CF6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$HandleProcess$Close$CurrentH_prolog3_Thread_memset$ContextDirectoryFileH_prolog3String_wcsncpy$AllocCacheCreateDuplicateException@8FlushInstructionMemoryModuleMoveNameProtectResumeSystemTerminateThrowVirtualWrite_memmove
              • String ID: explorer.exe
              • API String ID: 1370160537-3187896405
              • Opcode ID: 5484fd99bfd902400fc6aeeb9f9aae4c155121a0557ae521ec0e7a2ed04a1e85
              • Instruction ID: 72c0dde53372978aa3d900b14796ba7b5d04e2ee259ed5e45dd5eabc3ba6eec4
              • Opcode Fuzzy Hash: 5484fd99bfd902400fc6aeeb9f9aae4c155121a0557ae521ec0e7a2ed04a1e85
              • Instruction Fuzzy Hash: 31C13DB1805118EFEB25DB65CC88BDEBBB8EF05344F0041EAE509A2251DB395F84CFA5
              Function 004223ED Relevance: 44.0, APIs: 19, Strings: 6, Instructions: 259stringcomprocessCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004223F7
              • CoCreateInstance.OLE32(?,00000000,00000004,?,?,?,?,?,?,?,?,?,00000B28), ref: 00422434
                • Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
                • Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977
              • wsprintfW.USER32 ref: 00422459
              • wsprintfW.USER32 ref: 00422490
              • _memset.LIBCMT ref: 0042252B
              • CoCreateGuid.OLE32(?), ref: 00422562
              • lstrcatW.KERNEL32(?, /ForceROT), ref: 0042257A
              • lstrcatW.KERNEL32(?,?), ref: 004225A0
              • _memset.LIBCMT ref: 004225AD
              • CreateProcessW.KERNEL32 ref: 004225DD
              • SysFreeString.OLEAUT32(?), ref: 00422762
              • SysFreeString.OLEAUT32(?), ref: 00422790
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Create$FreeString_memsetlstrcatwsprintf$CloseGuidH_prolog3_HandleInstanceModuleProcess
              • String ID: /ForceROT$CLSID\%s$CoCreateInstance failed with error 0x%lx, try a second approach.$D$Forcing item moniker %s into ROT...$LocalServer32
              • API String ID: 3416857870-2004123087
              • Opcode ID: 88f05992ad2d4c61600e0599f6867bed13e8149b027bdf3baf02bb997fdb0c08
              • Instruction ID: e748a0aa66b71210e557a9eb5d049598d0d37fb830b595843d8a2da91fc2d251
              • Opcode Fuzzy Hash: 88f05992ad2d4c61600e0599f6867bed13e8149b027bdf3baf02bb997fdb0c08
              • Instruction Fuzzy Hash: 14B1A171B00329AFDB20DB64DC44BDA77B8AF46304F1440EAE909E7651DBB89E84CF56
              Function 004274B9 Relevance: 37.1, APIs: 12, Strings: 9, Instructions: 362stringregistryCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004274C3
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
              • lstrcmpiW.KERNEL32(?,auto,?,?,00000001,000005E8,00428D00,?,?), ref: 00427511
              • CharNextW.USER32(?,/auto,00000000,00000000), ref: 00427628
              • lstrlenW.KERNEL32(?,0000000C,?,00000001,00000000,?,00000001), ref: 00427664
              • CharNextW.USER32(?,00000001,?,00000001), ref: 004276E8
              • CharNextW.USER32(?,eprq), ref: 00427836
              • lstrcmpW.KERNEL32(00000000,%IS_E%), ref: 00427844
              • lstrcpyW.KERNEL32(C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB},00000000), ref: 00427855
              • _memset.LIBCMT ref: 004278AC
              • lstrcpyW.KERNEL32(C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB},?), ref: 004278E4
              • RegDeleteValueW.ADVAPI32(?,00000000), ref: 004278F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CharNext$lstrcpy$DeleteH_prolog3H_prolog3_Value_memsetlstrcmplstrcmpilstrlen
              • String ID: This setup was created with an EVALUATION VERSION of %s, which does not support extraction of the internal MSI file. The full ver$%IS_E%$/auto$C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}$Software\Microsoft\Windows\CurrentVersion$auto$debuglog$embed{$eprq
              • API String ID: 1541416560-2530503175
              • Opcode ID: c79e956a559a3602adbe8b9fa44eedc3f6e46a2284672608a3987a1cec234976
              • Instruction ID: 3ce00b113abbe1e0d35e636e962c450a6b07f4d5ffcbcee15b10388bd2bfd901
              • Opcode Fuzzy Hash: c79e956a559a3602adbe8b9fa44eedc3f6e46a2284672608a3987a1cec234976
              • Instruction Fuzzy Hash: BCE1AF70A05668AEDB20EB65CC95FEEB778AF00304F5040EBF109A6191DB785F84CF69
              Function 0043522A Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 161COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00435234
              • _memset.LIBCMT ref: 00435267
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
              • wsprintfW.USER32 ref: 00435323
                • Part of subcall function 00446414: __EH_prolog3_GS.LIBCMT ref: 0044641B
              • wsprintfW.USER32 ref: 0043535A
              • wsprintfW.USER32 ref: 0043536D
              • _memset.LIBCMT ref: 00435443
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0043547A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: wsprintf$ErrorH_prolog3_Last_memset$CurrentDirectory
              • String ID: "%s" /c:"msiinst /delayrebootq"$"%s" /q$"%s" /quiet /norestart$/c:"msiinst /delayrebootq"$/quiet /norestart$2.0.2600.0$InstallerLocation$Installing MSI engine %s$Software\Microsoft\Windows\CurrentVersion\Installer$msiaction.cpp
              • API String ID: 3028750256-818091861
              • Opcode ID: e12c3304fa690403173253e0ef0ec36aa49c77f85cbd64a88d807aa951152028
              • Instruction ID: ffad5362f89c923b7ca0894d81019d5e2d2c0050c868964baeb366b1fcddac72
              • Opcode Fuzzy Hash: e12c3304fa690403173253e0ef0ec36aa49c77f85cbd64a88d807aa951152028
              • Instruction Fuzzy Hash: FB5194F1900618ABDB24DB54DC46BDD77B8AB15305F0001EFEA05E7292EB785E84CB6D
              Function 0042AD38 Relevance: 28.7, APIs: 19, Instructions: 194windowCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0042AD42
              • GetWindowLongW.USER32(?,000000EB), ref: 0042AD6A
              • GetDlgItem.USER32(?,00000132), ref: 0042AD85
              • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0042AD9D
              • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 0042ADA8
              • EndDialog.USER32(?,00000001), ref: 0042ADB7
              • EndDialog.USER32(?,00000002), ref: 0042ADCC
              • GetDlgItem.USER32(?,00000132), ref: 0042ADDD
              • SetWindowLongW.USER32(?,000000EB,?), ref: 0042ADED
              • SendMessageW.USER32(?,00000143,00000000,?), ref: 0042AE3C
              • SendMessageW.USER32(?,00000151,00000000,?), ref: 0042AE54
              • SendMessageW.USER32(?,0000014E), ref: 0042AE79
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0042AEC4
              • SetDlgItemTextW.USER32(?,00000001,-00000004), ref: 0042AEF2
              • SetDlgItemTextW.USER32(?,00000002,-00000004), ref: 0042AF35
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: MessageSend$Item$DialogLongTextWindow$H_prolog3_
              • String ID:
              • API String ID: 3382325393-0
              • Opcode ID: 734b4db623c48f6fa0bfc983f7bd3e4e9a48a270bfc929d1ab3948ac7d656e50
              • Instruction ID: a61e998cd4b6c770a79caae85d6919e5073af0bf10cc7cc7c396e2183c014309
              • Opcode Fuzzy Hash: 734b4db623c48f6fa0bfc983f7bd3e4e9a48a270bfc929d1ab3948ac7d656e50
              • Instruction Fuzzy Hash: C671BF70A40228AFDB24DF64DC85BEE7779BF08711F41019AF546A71D1D7B8AA81CF28
              Function 00450D2A Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 151stringCOMMON
              Download Yara Rule
              APIs
              • lstrcpyW.KERNEL32(000003FE,004CBE7C,?), ref: 00450D68
              • lstrcpyW.KERNEL32(00000000,004CBE7C), ref: 00450D70
              • _malloc.LIBCMT ref: 00450D8A
                • Part of subcall function 004576A6: __FF_MSGBANNER.LIBCMT ref: 004576BD
                • Part of subcall function 004576A6: __NMSG_WRITE.LIBCMT ref: 004576C4
                • Part of subcall function 004576A6: RtlAllocateHeap.NTDLL(006A0000,00000000,00000001,00000000,?,00000000,?,00459194,00000008,00000008,00000008,?,?,00467F03,00000018,004E4738), ref: 004576E9
              • _memset.LIBCMT ref: 00450D9B
              • _memset.LIBCMT ref: 00450DC6
              • wsprintfW.USER32 ref: 00450E18
              • _memset.LIBCMT ref: 00450E30
              • _memset.LIBCMT ref: 00450E78
              • _memmove.LIBCMT ref: 00450EA4
              • wsprintfW.USER32 ref: 00450EC4
              • wsprintfW.USER32 ref: 00450EDB
              • lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004B7EE0,?,?,00000000), ref: 00450EF1
              • _free.LIBCMT ref: 00450F03
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memset$lstrcpywsprintf$AllocateHeap_free_malloc_memmove
              • String ID: %s,%u$%u.%u.%u.%u$\VarFileInfo\Translation
              • API String ID: 3387234471-1385173819
              • Opcode ID: 48131a0db8416ccf3ca4e4230181e28bc708c69345fb9257fb06c6532f7580d8
              • Instruction ID: 55488a66ad5cab355131e47238bf243bc71bac4aaafbd6179b7f155856132f91
              • Opcode Fuzzy Hash: 48131a0db8416ccf3ca4e4230181e28bc708c69345fb9257fb06c6532f7580d8
              • Instruction Fuzzy Hash: E25165719001286BC720AB559C8AFAF77BCEF44705F1400AAFD09E6253D7789E54CFA9
              Function 0043649D Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 118COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3__memset_wcscpy
              • String ID: %s%sReason: %s$>>> Fatal %sReason: %s$function failed.$handle in invalid state.$more buffer space required to hold data.$no more items.$passed a bad SQL syntax.$passed an invalid handle.$passed an invalid parameter.$unknown error.
              • API String ID: 2196721711-2340172371
              • Opcode ID: e4f6c138ed4cfc91a11faa79ad5bd7e7421de392065bf013c26b73ac190fea42
              • Instruction ID: 274dc182d3d7448d1132fa542fb3962bab1896361e8667ce30170abf0580a608
              • Opcode Fuzzy Hash: e4f6c138ed4cfc91a11faa79ad5bd7e7421de392065bf013c26b73ac190fea42
              • Instruction Fuzzy Hash: 0D312A31404205BAD720DB78ED0ABDB36A8BB04705F35E17BB9099614ADE7DCB44CB6D
              Function 00442F9C Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 370COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00442FFA
              • _memset.LIBCMT ref: 00443015
              • _wcschr.LIBCMT ref: 004430A9
              • _wcschr.LIBCMT ref: 004430B9
              • wsprintfW.USER32 ref: 004430E7
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeString_memset_wcschr$wsprintf
              • String ID: %s$ %s"%s"$ %s%s$ScriptDriven$Startup$auto$no_engine
              • API String ID: 1401725781-630800314
              • Opcode ID: 7698e9a24d824b1f841768a715b1207b50e4c1b3dccd251f40598c956a5fa63a
              • Instruction ID: 74e436cee2c8faf756088023ece8ea758547d486055b97c8f4f14ad6db06acdd
              • Opcode Fuzzy Hash: 7698e9a24d824b1f841768a715b1207b50e4c1b3dccd251f40598c956a5fa63a
              • Instruction Fuzzy Hash: B0E1A1B1904218AAEB24DB60DC45BEEB7B8AF54704F5001EEE605B71C1EB785F84CB69
              Function 0044C96B Relevance: 25.6, APIs: 17, Instructions: 113windowCOMMON
              Download Yara Rule
              APIs
              • GetObjectW.GDI32(00000018,?), ref: 0044C99D
              • GetDesktopWindow.USER32 ref: 0044C9A7
              • GetClientRect.USER32(00000000), ref: 0044C9AE
              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0044C9D5
              • GetDC.USER32(?), ref: 0044C9F8
              • GetObjectW.GDI32(00000018,?), ref: 0044CA0F
              • CreateCompatibleDC.GDI32(00000000), ref: 0044CA16
              • UnrealizeObject.GDI32(00000000), ref: 0044CA33
              • SelectPalette.GDI32(00000000,00000000), ref: 0044CA43
              • RealizePalette.GDI32(00000000), ref: 0044CA4C
              • UnrealizeObject.GDI32 ref: 0044CA54
              • SelectPalette.GDI32(?,00000000), ref: 0044CA62
              • RealizePalette.GDI32(?), ref: 0044CA65
              • SelectObject.GDI32(00000000), ref: 0044CA73
              • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0044CA8A
              • ReleaseDC.USER32(?,00000000), ref: 0044CA94
              • DeleteDC.GDI32(00000000), ref: 0044CA9B
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Object$Palette$Select$RealizeUnrealizeWindow$ClientCompatibleCreateDeleteDesktopMoveRectRelease
              • String ID:
              • API String ID: 366568439-0
              • Opcode ID: 1d4fa278cf78c22e57c0b611e57d0a0c48c000072a8758f5712faa5a4bbe073a
              • Instruction ID: 96635fc8ed373524d0e5a1877aa021c08a295e36e548e8136156660b3f96afc9
              • Opcode Fuzzy Hash: 1d4fa278cf78c22e57c0b611e57d0a0c48c000072a8758f5712faa5a4bbe073a
              • Instruction Fuzzy Hash: B1412C72900219BFDB10EFA5EC88EAF7BBDFB48741F054129F502A2161C7799914CF68
              Function 00431426 Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 350COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00431430
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 004160CC: __EH_prolog3.LIBCMT ref: 004160D3
                • Part of subcall function 00416071: SysStringLen.OLEAUT32(?), ref: 0041607E
                • Part of subcall function 00416071: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00416098
              • GetTempPathW.KERNEL32(00000104,00000000,?,00000104), ref: 004314DB
                • Part of subcall function 00411BD3: __EH_prolog3_GS.LIBCMT ref: 00411BDA
                • Part of subcall function 00411BD3: GetLastError.KERNEL32(00000038,004212CA), ref: 00411BE1
                • Part of subcall function 00411BD3: SetLastError.KERNEL32(00000000), ref: 00411C37
              • CoCreateGuid.OLE32(?), ref: 004314F7
                • Part of subcall function 0042BF36: __EH_prolog3.LIBCMT ref: 0042BF3D
                • Part of subcall function 004202D0: __EH_prolog3_GS.LIBCMT ref: 004202D7
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              • CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000000), ref: 00431563
                • Part of subcall function 0042C185: __EH_prolog3.LIBCMT ref: 0042C18C
              • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 004317FD
              • GetPrivateProfileStringW.KERNEL32(?,-00000004,004CBE7C,?,00000104,?), ref: 0043170C
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$String$Free$CreateH_prolog3H_prolog3_$Directory$AllocGuidPathPrivateProfileTemp
              • String ID: !$Could not extract isconfig.ini from current issetup.dll$Extracting resources for '%s' to '%s'$ISConfig.ini for current issetup.dll does not contain TempPathGuid.$IsConfig.ini$SetupDefaults$TempPathGuid$msiaction.cpp
              • API String ID: 1174919792-1813314304
              • Opcode ID: f71f0431c63c044bd75f68bbcc4dd192c4885c1c65870a3a1949d1b987f3e84b
              • Instruction ID: 9d58459e715202f0f5fc7ab14d2d30cf6e5db322dde2e9dcd020666ac268dacf
              • Opcode Fuzzy Hash: f71f0431c63c044bd75f68bbcc4dd192c4885c1c65870a3a1949d1b987f3e84b
              • Instruction Fuzzy Hash: 60F18030901158EEDB25EBA4CC99BDDBBB4AF15308F5400EEE04967192DB785F88CF65
              Function 0044095A Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 219COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00440961
              • _wcsstr.LIBCMT ref: 004409F0
              • CharNextW.USER32(?,?,00000000,00000001,0000005C,00440D17,?,00000000), ref: 00440A01
              • CharNextW.USER32(00000000,?,?,00000000,00000001,0000005C,00440D17,?,00000000), ref: 00440A06
              • CharNextW.USER32(00000000,?,?,00000000,00000001,0000005C,00440D17,?,00000000), ref: 00440A0B
              • CharNextW.USER32(00000000,?,?,00000000,00000001,0000005C,00440D17,?,00000000), ref: 00440A10
              • CharNextW.USER32(00000000,}},?,00000000,00000001,0000005C,00440D17,?,00000000), ref: 00440AB8
              • CharNextW.USER32(?,00000000,?), ref: 00440B3D
              • CharNextW.USER32(?,00000000,00000001,0000005C,00440D17,?,00000000), ref: 00440B51
              • CoTaskMemFree.OLE32(?,0000005C,00440D17,?,00000000), ref: 00440B99
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CharNext$FreeH_prolog3_Task_wcsstr
              • String ID: }}$HKCR$HKCU{Software{Classes
              • API String ID: 2086807494-1142484189
              • Opcode ID: 2393a5ab458f91e738ef05b97960cd2f7b4535129ff75c2460a1a57d10f84f8a
              • Instruction ID: bc5437ad1b2b3e1a622d9e29f97ee07ee41d7289132b5986b6e0fa4366d4c855
              • Opcode Fuzzy Hash: 2393a5ab458f91e738ef05b97960cd2f7b4535129ff75c2460a1a57d10f84f8a
              • Instruction Fuzzy Hash: 157182709043469FFB14DBE5C851AAEB7B4EF24304F24402AEA45AB385EB7C9C64CB5C
              Function 00428037 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 142registrystringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
                • Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977
              • _memset.LIBCMT ref: 00428176
                • Part of subcall function 004019E0: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00401A08
              • RegDeleteValueW.ADVAPI32(?,00000000), ref: 004281A9
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              • RegDeleteValueW.ADVAPI32(?,ISSetup), ref: 00428076
                • Part of subcall function 004018C0: RegCloseKey.ADVAPI32(00000000,00000000,0044FF28,000001F0,?,00000000,0000000A,?,?,00000001,ServicePack,?,00000001,?,000001F0,00000000), ref: 004018CA
                • Part of subcall function 004018F0: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0040192B
              • __wcsnicmp.LIBCMT ref: 0042808F
              • CharNextW.USER32 ref: 004280A0
              • lstrcmpW.KERNEL32(00000000,%IS_V%), ref: 004280AE
              • lstrcpyW.KERNEL32(004EF8A8,?,/verbose,?,00000001), ref: 00428243
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Value$CloseDeleteErrorFreeLastString$AddressCharH_prolog3HandleModuleNextProcQuery__wcsnicmp_memsetlstrcmplstrcpy
              • String ID: %IS_V%$-$/verbose$ISSetup$Software\Microsoft\Windows\CurrentVersion$Software\Microsoft\Windows\CurrentVersion\Run$verbose
              • API String ID: 2817573039-2314801802
              • Opcode ID: 9377b0a82abc4c8159b7855ae7da98245e587a93e8d450631f91e269b99c266a
              • Instruction ID: a427ab31b775413960859b75c926c27f9d208b9ea9d33a20cba2f0671fc5d811
              • Opcode Fuzzy Hash: 9377b0a82abc4c8159b7855ae7da98245e587a93e8d450631f91e269b99c266a
              • Instruction Fuzzy Hash: 9151C130901568AADB24EB21DC45BEE7B78AF14345F0000EFB549B2192DF785F89CF69
              Function 0045D549 Relevance: 24.1, APIs: 16, Instructions: 92COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
              • String ID:
              • API String ID: 2661855409-0
              • Opcode ID: 8714e11c7a7cac13504e01f4c96d20561ee3f94a0fc2b203a95dbe5012da7b31
              • Instruction ID: 85d26bf29363774933064e31ee8c8864129962b615f5a4bca1469ad67a2c4fed
              • Opcode Fuzzy Hash: 8714e11c7a7cac13504e01f4c96d20561ee3f94a0fc2b203a95dbe5012da7b31
              • Instruction Fuzzy Hash: 4221E575804A05FAE7353F26DC0290E7BA4DF4076BF20402FFC84561A3FA2D891ACA9D
              Function 0043319E Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 330COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_
              • String ID: 1.0$1.1$2.0$2.0.0.0$3.0$3.0.0.0$DotNetLangPacks$DotNetOptional$DotNetOptionalInstallIfSilent$J#InstallOptionIfSilent$J#Optional$Startup
              • API String ID: 2427045233-1844836242
              • Opcode ID: c4aae29e4eb78da697136581b8463332cd0de938fa486ccd12acd8faada80461
              • Instruction ID: 7ba45146569f135fa1ff47af57d23e83c581ef9c7405b0e4820c987d040642e4
              • Opcode Fuzzy Hash: c4aae29e4eb78da697136581b8463332cd0de938fa486ccd12acd8faada80461
              • Instruction Fuzzy Hash: C2D1D170A00258AADF25DF25CC427EEB7A4AB59304F1040EEE545A7281DBB88F84CF99
              Function 00403330 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 274COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32 ref: 00403393
              • SetLastError.KERNEL32(004CC554,00000000,00000000,000000FF), ref: 004033F6
                • Part of subcall function 00404770: GetLastError.KERNEL32 ref: 004047CB
                • Part of subcall function 00404770: SetLastError.KERNEL32(004CC554), ref: 00404803
              • GetLastError.KERNEL32(?,00000000,000000FF,-00000004,?,00000001,?,00000000,?), ref: 0040360E
              • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 0040365D
              • GetLastError.KERNEL32 ref: 00403676
              • SysFreeString.OLEAUT32(?), ref: 00403690
              • SysFreeString.OLEAUT32(?), ref: 0040369D
              • SetLastError.KERNEL32(?), ref: 004036C1
              • GetLastError.KERNEL32 ref: 004036D4
              • SysFreeString.OLEAUT32(?), ref: 004036EC
              • SysFreeString.OLEAUT32(?), ref: 004036F9
              • SetLastError.KERNEL32(?), ref: 0040371D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeString
              • String ID: \
              • API String ID: 2425351278-2967466578
              • Opcode ID: 214729712e33b3cb4e0b6696daca7ec59c55da9a6222ee89cb314a2cdef1b324
              • Instruction ID: 0d4e1570c8206b5936591aef324a3f88476d7d553fa0ca5a878089c50fc2e8d8
              • Opcode Fuzzy Hash: 214729712e33b3cb4e0b6696daca7ec59c55da9a6222ee89cb314a2cdef1b324
              • Instruction Fuzzy Hash: 09C15F715083409FD720DF24C884B9BBBE4BF88318F504A2EF595972E1DB79E948CB96
              Function 0042DE60 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 232COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0042DE6A
              • _memset.LIBCMT ref: 0042DE81
              • _memset.LIBCMT ref: 0042DE9C
                • Part of subcall function 00450D2A: lstrcpyW.KERNEL32(000003FE,004CBE7C,?), ref: 00450D68
                • Part of subcall function 00450D2A: lstrcpyW.KERNEL32(00000000,004CBE7C), ref: 00450D70
                • Part of subcall function 00450D2A: _malloc.LIBCMT ref: 00450D8A
                • Part of subcall function 00450D2A: _memset.LIBCMT ref: 00450D9B
                • Part of subcall function 00450D2A: _memset.LIBCMT ref: 00450DC6
                • Part of subcall function 00450D2A: wsprintfW.USER32 ref: 00450E18
                • Part of subcall function 00450D2A: _memset.LIBCMT ref: 00450E30
                • Part of subcall function 004519EB: lstrcpyW.KERNEL32(?,@&O,00000000), ref: 00451A24
                • Part of subcall function 004519EB: lstrcpyW.KERNEL32(?,00000001), ref: 00451A2E
                • Part of subcall function 004519EB: _swscanf.LIBCMT ref: 00451AA3
                • Part of subcall function 004519EB: _swscanf.LIBCMT ref: 00451ACC
                • Part of subcall function 00446414: __EH_prolog3_GS.LIBCMT ref: 0044641B
              • GetVersionExW.KERNEL32 ref: 0042DF1F
              • _memset.LIBCMT ref: 0042DFA1
              • GetTempPathW.KERNEL32(00000400,?), ref: 0042DFB6
              • GetWindowsDirectoryW.KERNEL32(?,00000400), ref: 0042DFE1
                • Part of subcall function 0042E3BA: _memset.LIBCMT ref: 0042E40F
                • Part of subcall function 0042E3BA: __wsplitpath.LIBCMT ref: 0042E41F
                • Part of subcall function 0042E3BA: lstrcatW.KERNEL32(?,004B7EE0), ref: 0042E433
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 00445824: __EH_prolog3_GS.LIBCMT ref: 0044582E
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memset$ErrorLastlstrcpy$H_prolog3_$FreeString_swscanf$DirectoryPathTempVersionWindows__wsplitpath_malloclstrcatwsprintf
              • String ID: Msi.DLL$Startup$SupportOS$SupportOSMsi12$SupportOSMsi30$SuppressWrongOS
              • API String ID: 3706879116-4027240730
              • Opcode ID: 63a4662d1b5d7e61dfdf0abd86f11d4a9f17fd510b1fc0ae4bc05c69809ce501
              • Instruction ID: ca746854af4a5322b111183a4e1416e50e9c39d1e5f3cb3864e485ed27f2e07b
              • Opcode Fuzzy Hash: 63a4662d1b5d7e61dfdf0abd86f11d4a9f17fd510b1fc0ae4bc05c69809ce501
              • Instruction Fuzzy Hash: 6881C771A001259AEB24DB65DD85BEE72A8AF05309F4041BFE50AE3181DF389A49CF6D
              Function 00405560 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 203COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32 ref: 004055BF
              • SetLastError.KERNEL32(004CC554,00000000,00000000,000000FF), ref: 00405628
              • SetLastError.KERNEL32(004CC554), ref: 0040567E
              • GetLastError.KERNEL32(?,000000FF,00000001), ref: 0040574E
              • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 0040579D
              • GetLastError.KERNEL32 ref: 004057AC
              • SysFreeString.OLEAUT32(?), ref: 004057C6
              • SysFreeString.OLEAUT32(?), ref: 004057D3
              • SetLastError.KERNEL32(?), ref: 004057F7
              • SysFreeString.OLEAUT32(?), ref: 00405823
              • SysFreeString.OLEAUT32(?), ref: 00405830
              • SetLastError.KERNEL32(?), ref: 00405854
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeString
              • String ID: .
              • API String ID: 2425351278-248832578
              • Opcode ID: 3b15671e7bd774fc646ff011320622824199b1566df9d3f042bc3da2eaa66c9c
              • Instruction ID: b734b4aa6abe6a6e0ba685a4743cf736a5c4a89407366186bc7da20184907e61
              • Opcode Fuzzy Hash: 3b15671e7bd774fc646ff011320622824199b1566df9d3f042bc3da2eaa66c9c
              • Instruction Fuzzy Hash: 7191F9715083409FD710DF28C884B5BBBE4FF89318F104A2DF599972A1DB79E848CB96
              Function 00431C33 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 147COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00431C3D
              • VariantChangeType.OLEAUT32(?,?,00000000,00000002), ref: 00431C87
              • VariantClear.OLEAUT32(?), ref: 00431E56
              Strings
              • {1C370964-514B-321C-7237-2B4FD86D8568}, xrefs: 00431DD5
              • {78705f0d-e8db-4b2d-8193-982bdda15ecd}, xrefs: 00431CE3
              • {9B29D757-088E-E8C9-2535-AA319B92C00A}, xrefs: 00431CD9
              • Software\Microsoft\Active Setup\Installed Components\%s, xrefs: 00431E14
              • {F1B13231-13BE-1231-5401-486BA763DEB6}, xrefs: 00431D31
              • {E7E2C871-090A-C372-F9AE-C3C6A988D260}, xrefs: 00431D63
              • {6741C120-01BA-87F9-8734-5FB9DA8A4445}, xrefs: 00431CFF
              • {021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}, xrefs: 00431DCE
              • {F279058C-50B2-4BE4-60C9-369CACF06821}, xrefs: 00431CED
              • {7E76A8D6-33D1-0032-16C3-4593092861D0}, xrefs: 00431D9A
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Variant$ChangeClearH_prolog3_Type
              • String ID: Software\Microsoft\Active Setup\Installed Components\%s${021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}${1C370964-514B-321C-7237-2B4FD86D8568}${6741C120-01BA-87F9-8734-5FB9DA8A4445}${78705f0d-e8db-4b2d-8193-982bdda15ecd}${7E76A8D6-33D1-0032-16C3-4593092861D0}${9B29D757-088E-E8C9-2535-AA319B92C00A}${E7E2C871-090A-C372-F9AE-C3C6A988D260}${F1B13231-13BE-1231-5401-486BA763DEB6}${F279058C-50B2-4BE4-60C9-369CACF06821}
              • API String ID: 1792846764-3581822646
              • Opcode ID: 60079d340341cbdf8f0d463a247b50925632a9e4bcb20bdefc8c18412374a711
              • Instruction ID: 538edf6ff0480f31f2418203c333d47ef03a5f2a475cf02da74db8edf1cc85ed
              • Opcode Fuzzy Hash: 60079d340341cbdf8f0d463a247b50925632a9e4bcb20bdefc8c18412374a711
              • Instruction Fuzzy Hash: 8B51917090021CEACB15DB94CC95BEEB778BB19304F5450AFE105B31D1DBB86B89CBA9
              Function 004894B3 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 95libraryloaderCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004894BD
              • GetModuleHandleW.KERNEL32(kernel32.dll,CreateToolhelp32Snapshot,000002A8,00485CAE,0048BECB,?,?,0000006C,0048BECB,004881FF,?,?), ref: 004894D5
              • GetProcAddress.KERNEL32(00000000), ref: 004894D8
              • GetModuleHandleW.KERNEL32(Kernel32.dll,Process32First,?,0000006C,0048BECB,004881FF,?,?), ref: 00489513
              • GetProcAddress.KERNEL32(00000000), ref: 00489516
              • GetModuleHandleW.KERNEL32(Kernel32.dll,Process32Next,?,0000006C,0048BECB,004881FF,?,?), ref: 0048952C
              • GetProcAddress.KERNEL32(00000000), ref: 0048952F
              • _memset.LIBCMT ref: 0048955A
                • Part of subcall function 00489610: __EH_prolog3_GS.LIBCMT ref: 0048961A
                • Part of subcall function 00489610: GetModuleHandleW.KERNEL32(Ntdll.dll,NtQueryInformationProcess,?,00000400,?,000004A0,004895FE,00000000,?,0000006C,0048BECB,004881FF,?,?), ref: 0048964A
                • Part of subcall function 00489610: GetProcAddress.KERNEL32(00000000), ref: 00489651
                • Part of subcall function 00489610: OpenProcess.KERNEL32(00000400,00000000,?,?,0000006C,0048BECB,004881FF,?,?), ref: 0048967D
                • Part of subcall function 00489610: _memset.LIBCMT ref: 004896A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc$H_prolog3__memset$OpenProcess
              • String ID: CreateToolhelp32Snapshot$Kernel32.dll$Process32First$Process32Next$kernel32.dll
              • API String ID: 2047754285-1872946363
              • Opcode ID: 0a8660ca4af3dac1b102e7a5410ec7894a65ab6a703cac7655c2caffd0e14fd1
              • Instruction ID: d7fbaeea89e088c8e1359660e713be79b54de127aec3990eb5467bb8c76e51fa
              • Opcode Fuzzy Hash: 0a8660ca4af3dac1b102e7a5410ec7894a65ab6a703cac7655c2caffd0e14fd1
              • Instruction Fuzzy Hash: B0319331900218ABDB11FBA0CC89FEE73B8AF05745F2405ABF905A2181DF785E84CF59
              Function 004867B1 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 87registrylibraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 004867C6
              • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 004867D6
              • RegOpenKeyExW.ADVAPI32(80000003,.Default\Control Panel\desktop\ResourceLocale,00000000,000F003F,?,?,00000000), ref: 0048680F
              • RegQueryValueExW.ADVAPI32(?,004CBE7C,00000000,00000000,?,@&O), ref: 00486827
              • RegOpenKeyExW.ADVAPI32(80000003,.DEFAULT\Control Panel\International,00000000,000F003F,?), ref: 00486848
              • RegQueryValueExW.ADVAPI32(?,Locale,00000000,00000000,?,@&O), ref: 00486862
              • __wcstoi64.LIBCMT ref: 00486884
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: OpenQueryValue$AddressHandleModuleProc__wcstoi64
              • String ID: @&O$.DEFAULT\Control Panel\International$.Default\Control Panel\desktop\ResourceLocale$GetSystemDefaultUILanguage$Kernel32.dll$Locale
              • API String ID: 2065448255-2812970693
              • Opcode ID: 681c0f2819e30316f8b7ba625a543ba0e3d292f8d24d8cf12430e3ef76d0b3f7
              • Instruction ID: 04c21472fe45d8d57b19d0ec6a265fad1f83ef38f832973f6525be2fb779f2be
              • Opcode Fuzzy Hash: 681c0f2819e30316f8b7ba625a543ba0e3d292f8d24d8cf12430e3ef76d0b3f7
              • Instruction Fuzzy Hash: F8216571D0121DAFEB11FBA18C81FBF77BCEB04745F15053AAA01F2141DA689D048BA9
              Function 0049973D Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 65libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(Kernel32,UnmapViewOfFile,?,?,?,00499753), ref: 00499786
              • GetProcAddress.KERNEL32(00000000), ref: 0049978F
              • GetModuleHandleW.KERNEL32(Kernel32,CloseHandle,?,?,?,00499753), ref: 004997A4
              • GetProcAddress.KERNEL32(00000000), ref: 004997A7
              • GetModuleHandleW.KERNEL32(Kernel32,SetFilePointer,?,?,?,00499753), ref: 004997C4
              • GetProcAddress.KERNEL32(00000000), ref: 004997C7
              • GetModuleHandleW.KERNEL32(Kernel32,SetEndOfFile,?,?,?,00499753), ref: 004997E7
              • GetProcAddress.KERNEL32(00000000), ref: 004997EA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: CloseHandle$Kernel32$SetEndOfFile$SetFilePointer$UnmapViewOfFile
              • API String ID: 1646373207-1519668244
              • Opcode ID: 994e2487b8e9665b50a7b7769652dfcb1ca93d23f5e752f7c9d07de3ed84eb47
              • Instruction ID: 94791af4bd088fcb82ae02610d48b1c79e60719a68299921c8bd48f7b6500c75
              • Opcode Fuzzy Hash: 994e2487b8e9665b50a7b7769652dfcb1ca93d23f5e752f7c9d07de3ed84eb47
              • Instruction Fuzzy Hash: 2411B234140B00AEDB626FB99C44F27BAF4AF80B40B25853FE456A15A0CF79EC408A18
              Function 0042EA93 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 410windowstringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0042E5E6: _memset.LIBCMT ref: 0042E61F
              • SendMessageW.USER32(00000000,00000401,00000000,00000001), ref: 0042EB0A
              • _memset.LIBCMT ref: 0042EB34
              • _memset.LIBCMT ref: 0042EB4B
                • Part of subcall function 004507E7: __EH_prolog3_GS.LIBCMT ref: 004507F1
                • Part of subcall function 004507E7: wsprintfW.USER32 ref: 00450833
                • Part of subcall function 004507E7: wvsprintfW.USER32(?,?,00000000), ref: 0045084E
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                • Part of subcall function 0042BE33: __EH_prolog3_GS.LIBCMT ref: 0042BE3A
                • Part of subcall function 0042BE33: __itow_s.LIBCMT ref: 0042BE71
                • Part of subcall function 0042BE33: SetLastError.KERNEL32(00000006,?,00000000,?,?,?,00000000,?,?,00000001), ref: 0042BEA0
                • Part of subcall function 0042BEB4: __EH_prolog3_GS.LIBCMT ref: 0042BEBB
                • Part of subcall function 0042BEB4: __ltow_s.LIBCMT ref: 0042BEF3
                • Part of subcall function 0042BEB4: SetLastError.KERNEL32(00000008,00000000,00000000,?,?,?,00000000,?,?,00000001), ref: 0042BF22
                • Part of subcall function 00420B07: __EH_prolog3_GS.LIBCMT ref: 00420B11
              • _memset.LIBCMT ref: 0042EFCD
              • lstrcmpW.KERNEL32(?,004CBE7C,?,?), ref: 0042F006
              • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0042F096
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorH_prolog3_Last_memset$FreeMessageSendString$__itow_s__ltow_slstrcmpwsprintfwvsprintf
              • String ID: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}$DownloadFiles: %s$DownloadFiles: downloading %s$T$msiaction.cpp$o
              • API String ID: 1474050675-1547367522
              • Opcode ID: 271eab108b14081c998453347d7a007066b1e47cab97a21521a6b396ce0e3e77
              • Instruction ID: b060f3b94bf903b7b337d672ebaacd2ba33175402ecb60c449a75a0804a5e3e2
              • Opcode Fuzzy Hash: 271eab108b14081c998453347d7a007066b1e47cab97a21521a6b396ce0e3e77
              • Instruction Fuzzy Hash: C8025E71A00228DFDB20EB65CC95BDDB7F4AB05344F4040EAE109A7191EB78AF89CF65
              Function 0044C697 Relevance: 21.1, APIs: 14, Instructions: 107windowmemoryCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044C6A1
              • GetObjectW.GDI32(?,00000018,?), ref: 0044C6B3
              • CreateCompatibleDC.GDI32(00000000), ref: 0044C6D6
              • SelectObject.GDI32(00000000,?), ref: 0044C6E6
              • GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 0044C6FB
              • GlobalAlloc.KERNEL32(00000042,00000408), ref: 0044C70A
              • GlobalLock.KERNEL32(00000000), ref: 0044C71A
              • GetSystemPaletteEntries.GDI32(?,00000000,0000000A,00000004), ref: 0044C7B5
              • GetSystemPaletteEntries.GDI32(?,000000F6,0000000A,000003DC), ref: 0044C7C6
              • CreatePalette.GDI32(00000000), ref: 0044C7C9
              • DeleteDC.GDI32(?), ref: 0044C7D5
              • GetDC.USER32(00000000), ref: 0044C7EC
              • CreateHalftonePalette.GDI32(00000000), ref: 0044C7F5
              • ReleaseDC.USER32(00000000,00000000), ref: 0044C802
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Palette$Create$EntriesGlobalObjectSystem$AllocColorCompatibleDeleteH_prolog3_HalftoneLockReleaseSelectTable
              • String ID:
              • API String ID: 447354755-0
              • Opcode ID: b61ef8906598ccd0bfba2dde3d2b8f0b53c6b8ba9a2abe19cf772cfe29c2f138
              • Instruction ID: 61ff4050f3872406627d8cf592230fd14269450f35bf3a973ff766003dfc1c02
              • Opcode Fuzzy Hash: b61ef8906598ccd0bfba2dde3d2b8f0b53c6b8ba9a2abe19cf772cfe29c2f138
              • Instruction Fuzzy Hash: 38419DB15002599FD720DF21DC84BEABFB8EF55304F0880FAEA4597252C7384A46CF29
              Function 0044E8BE Relevance: 19.7, APIs: 13, Instructions: 217fileCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0044E8EB
              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,00000080,00000000,?,?,?), ref: 0044E929
              • GetLastError.KERNEL32 ref: 0044E936
              • WriteFile.KERNEL32(00000000,?,0000002E,?,00000000,00000000,?,00000000,00000001), ref: 0044E996
              • GetFileSize.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0044E9D2
              • SetEndOfFile.KERNEL32(00000000), ref: 0044EA02
              • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0044EA41
              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0044EA85
              • ReadFile.KERNEL32(00000000,?,00000400,?,00000000,00000000,?,00000000,00000001), ref: 0044EAAA
              • SetEndOfFile.KERNEL32(00000000), ref: 0044EAB5
              • CloseHandle.KERNEL32(00000000), ref: 0044EABC
              • CloseHandle.KERNEL32(00000000), ref: 0044EAC3
              • ReadFile.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,?), ref: 0044EB44
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$CloseCreateHandleReadWrite$ErrorLastSize_memset
              • String ID:
              • API String ID: 4216745599-0
              • Opcode ID: 5d1c9e9654000c7c2790b8bdd0398adb3a29d7373c93364076de4fa18bb34294
              • Instruction ID: 2c1e6ea5e30c56a171de6a3fae2878356e8a03b4b301347055e90c48f229b736
              • Opcode Fuzzy Hash: 5d1c9e9654000c7c2790b8bdd0398adb3a29d7373c93364076de4fa18bb34294
              • Instruction Fuzzy Hash: 1D7175B1600214AFEB24AF62CC85FAE73ADBF44704F400099FB05A7291DB78AE55CB5D
              Function 00449748 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 383COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00449752
                • Part of subcall function 00416398: __EH_prolog3_GS.LIBCMT ref: 004163A2
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                • Part of subcall function 00418F22: __EH_prolog3.LIBCMT ref: 00418F29
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 004193C8: __EH_prolog3.LIBCMT ref: 004193CF
                • Part of subcall function 00416071: SysStringLen.OLEAUT32(?), ref: 0041607E
                • Part of subcall function 00416071: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00416098
                • Part of subcall function 00419D16: __EH_prolog3_GS.LIBCMT ref: 00419D20
                • Part of subcall function 00419D16: SysStringLen.OLEAUT32(?), ref: 00419E46
                • Part of subcall function 00419D16: SysFreeString.OLEAUT32(?), ref: 00419E55
                • Part of subcall function 00419D16: SysFreeString.OLEAUT32(?), ref: 00419E9A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String$ErrorFreeLast$H_prolog3_$H_prolog3$Alloc
              • String ID: IS_OriginalLauncher:$IS_temp$auto$delayedstart:$extract_all:$installfromweb:$media_path:$no_engine$runfromtemp$tempdisk1folder:
              • API String ID: 3067009588-744011383
              • Opcode ID: d48660266138af16c658f8e3f336b9f7e3767c30a9c5f76a330faaa158412037
              • Instruction ID: a889306be2ea3415b1ecb462e4856f085c62518f721cc07257001bc97c1d3f94
              • Opcode Fuzzy Hash: d48660266138af16c658f8e3f336b9f7e3767c30a9c5f76a330faaa158412037
              • Instruction Fuzzy Hash: C4F1AE30900298EEDF24EBA1CC55BDEBB75AF12308F1441DEE045671D2CBB85E89CBA5
              Function 0043C4B5 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 371COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0043C4BF
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 004457A9: __EH_prolog3_GS.LIBCMT ref: 004457B0
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                • Part of subcall function 00403B80: GetLastError.KERNEL32 ref: 00403B9F
                • Part of subcall function 00403B80: SetLastError.KERNEL32(?), ref: 00403BCF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeH_prolog3_String
              • String ID: %s%d$.$InstanceId$Instances$PackageCode$ProductCode$ProductVersion$UpgradeCode$count$key
              • API String ID: 2608676048-3806387272
              • Opcode ID: a7c78d6c5b25a58b8c38fa4383a5781e7d2e82e76c6a6d650fc9cd76a131170d
              • Instruction ID: ab3357d609ee738083c6fc05ed0992d5b0b7c35d7f3b470b979965706cba7452
              • Opcode Fuzzy Hash: a7c78d6c5b25a58b8c38fa4383a5781e7d2e82e76c6a6d650fc9cd76a131170d
              • Instruction Fuzzy Hash: 7CF15A71901259EADB15EBA0CD95BEDB7B8AB14308F1040EAE109B71C2DB785B88CF95
              Function 00450FBF Relevance: 19.6, APIs: 13, Instructions: 104threadmemoryCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00450FC6
              • GetCurrentThread.KERNEL32 ref: 00450FDD
              • OpenThreadToken.ADVAPI32(00000000), ref: 00450FE4
              • GetLastError.KERNEL32 ref: 00450FF4
              • GetCurrentProcess.KERNEL32(00000008,?), ref: 00451003
              • OpenProcessToken.ADVAPI32(00000000), ref: 0045100A
              • GetLastError.KERNEL32 ref: 00451010
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 00451033
              • GetLastError.KERNEL32 ref: 00451039
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 0045105E
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0045107B
              • EqualSid.ADVAPI32(00000004,?), ref: 00451096
              • FreeSid.ADVAPI32(?), ref: 004510B6
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Token$ErrorLast$CurrentInformationOpenProcessThread$AllocateEqualFreeH_prolog3_Initialize
              • String ID:
              • API String ID: 2153409075-0
              • Opcode ID: f352a44a6e797829a80fbdfcd4496c25fc38491c12294712927d68bdf5ab7d5e
              • Instruction ID: ce8a80aa9a5ad45e8049bd11e718c4b3d529e4a87bf982539df888d4ca860449
              • Opcode Fuzzy Hash: f352a44a6e797829a80fbdfcd4496c25fc38491c12294712927d68bdf5ab7d5e
              • Instruction Fuzzy Hash: 3F31A371900209AFDF10AFE1DC44FBE77B8EF08745F10453AE901E65A1DA3C8D499B69
              Function 00446FFC Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 339COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00447006
                • Part of subcall function 00445A4B: __EH_prolog3_catch_GS.LIBCMT ref: 00445A55
              • IsValidLocale.KERNEL32(?,00000001), ref: 0044708F
              • _memset.LIBCMT ref: 00447116
              • __itow.LIBCMT ref: 0044712F
                • Part of subcall function 00457863: _xtow@16.LIBCMT ref: 00457884
              • _wcscat.LIBCMT ref: 0044714F
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 004202D0: __EH_prolog3_GS.LIBCMT ref: 004202D7
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                • Part of subcall function 00442F9C: _memset.LIBCMT ref: 00442FFA
                • Part of subcall function 00442F9C: _memset.LIBCMT ref: 00443015
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$_memset$FreeH_prolog3_String$H_prolog3H_prolog3_catch_LocaleValid__itow_wcscat_xtow@16
              • String ID: /LangTransform$C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}$Default language: %d, got code page %d$Language transforms in stream$Using language transforms from setup.exe location$session.cpp
              • API String ID: 270145964-1208174506
              • Opcode ID: e5d5fd4cbe5b56f5733f401de549405cbb3d7761e78e29fa37f9ea63709aeac5
              • Instruction ID: ff34bc6ff1f00ccb998423f382c0068cb09374c35b66b851f2d209b6313161dd
              • Opcode Fuzzy Hash: e5d5fd4cbe5b56f5733f401de549405cbb3d7761e78e29fa37f9ea63709aeac5
              • Instruction Fuzzy Hash: 3CE1A370A04218EEEB14EB61CC45BEEB7B8BB04304F1041EAE149A71D1DF789B85DF98
              Function 00458CEB Relevance: 19.6, APIs: 13, Instructions: 83COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _free$Pointer$DecodeDecrementEncodeErrorFreeHeapInterlockedLast
              • String ID:
              • API String ID: 4264854383-0
              • Opcode ID: 39a2531a113029473c7d30a5033dce850d763cfa854db9aecb9d50d1d8a1f1ba
              • Instruction ID: f957a33ec52ce3e04f7041ccdf20c61d7e2eecdb7a91e824b815623b8d579066
              • Opcode Fuzzy Hash: 39a2531a113029473c7d30a5033dce850d763cfa854db9aecb9d50d1d8a1f1ba
              • Instruction Fuzzy Hash: 52214F36904A519FCB186F59FC8542B37F4AB54776316013FEC04A72A2DF3858AACA8D
              Function 004122B5 Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 317COMMON
              Download Yara Rule
              APIs
              • _wcscmp.LIBCMT ref: 004122FD
              • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 00412395
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: FileModuleName_wcscmp
              • String ID: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}$Files$Folders$NO_KEY_VALUE$_ISMSIDEL.INI
              • API String ID: 1193818139-2616640014
              • Opcode ID: 88fc6ff763a4a3eecdeb4852a353de30f657bb66783dc557a14887c4763d4b93
              • Instruction ID: 4fde6156fb28ec768f89b976fe417e2bf09171a86efdcea7f05620b5fa907402
              • Opcode Fuzzy Hash: 88fc6ff763a4a3eecdeb4852a353de30f657bb66783dc557a14887c4763d4b93
              • Instruction Fuzzy Hash: F0C1B671900258AADB21EB55CC49BDEB7B8BF14308F1441DBE509A3182DBB85FC9CF69
              Function 0043365B Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              • DotNetDelayReboot, xrefs: 004336E5
              • Startup, xrefs: 00433702
              • System is Win9x or reboot is not being suppressed, reboot will be immediate, xrefs: 00433878
              • Software\Microsoft\Windows\CurrentVersion\Installer, xrefs: 004338F2
              • Reboot will be deferred, xrefs: 004337E5
              • msiaction.cpp, xrefs: 0043376D, 004337C5, 00433858
              • Redist return value (%d) indicates a reboot is required, DotNetDelayReboot is %x, xrefs: 00433767
              • InstallerLocation, xrefs: 00433935
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CurrentDirectoryH_prolog3__memset
              • String ID: DotNetDelayReboot$InstallerLocation$Reboot will be deferred$Redist return value (%d) indicates a reboot is required, DotNetDelayReboot is %x$Software\Microsoft\Windows\CurrentVersion\Installer$Startup$System is Win9x or reboot is not being suppressed, reboot will be immediate$msiaction.cpp
              • API String ID: 277675003-2561541245
              • Opcode ID: 083cf3dc91fce28ea9b63e7d946d94693e74e27f37b2764b9dc74b8a0124c3ee
              • Instruction ID: 809bb1133b98b2050ca09dc9072b7ddb8fa100fe56c168819e5824eca0678d30
              • Opcode Fuzzy Hash: 083cf3dc91fce28ea9b63e7d946d94693e74e27f37b2764b9dc74b8a0124c3ee
              • Instruction Fuzzy Hash: 21818070905258AEEF64EF64CC89BDDB7B4AB14304F5041EAA109A31E1DB784FC9CF59
              Function 00451215 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 132processwindowCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0045121F
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
              • _memset.LIBCMT ref: 00451247
              • _memset.LIBCMT ref: 00451258
              • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,?,?,?,?), ref: 004512E3
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00451315
              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0045133A
              • GetExitCodeProcess.KERNEL32(?,?), ref: 00451347
              • CloseHandle.KERNEL32(?,?,?,?,?,00000001,000000B8,0042E2D1,?,00000001), ref: 00451358
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLastProcess_memset$CloseCodeCreateExitH_prolog3_HandleMessageMultipleObjectsPeekWait
              • String ID: Attempting to launch: %s$Launch result %d, exit code %d$utils.cpp
              • API String ID: 3068613049-2353317557
              • Opcode ID: bcdff268c4fed1d4c013e01dc30a06dd3c3eaee1b21dedb3e28454cacc837513
              • Instruction ID: 2361dfe982cd4698ba7c40090303c645481651a2212b0f6b55414f93986304a0
              • Opcode Fuzzy Hash: bcdff268c4fed1d4c013e01dc30a06dd3c3eaee1b21dedb3e28454cacc837513
              • Instruction Fuzzy Hash: 81416CB1C00208AFEB14DBE5CD95EEEB7BCEF04345F14416AE905A7292D6785E09CF68
              Function 004513A1 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 004513B1
              • ShellExecuteExW.SHELL32(0000003C), ref: 004513F5
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0045145E
              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00451476
              • GetExitCodeProcess.KERNEL32(?,CCCCCCCC), ref: 00451487
              • CloseHandle.KERNEL32(?), ref: 00451498
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CloseCodeExecuteExitHandleMessageMultipleObjectsPeekProcessShellWait_memset
              • String ID: <$@
              • API String ID: 116963689-1426351568
              • Opcode ID: b194a4cb31c16cdd1d4e9bbfeeee21f8c1fa6f857f3e63cfcfdb26def9a48d38
              • Instruction ID: 4a89eb61a19ab1f9d6c16e9fdb97eb23ffbfda59f75827dec630e2a3c28ee222
              • Opcode Fuzzy Hash: b194a4cb31c16cdd1d4e9bbfeeee21f8c1fa6f857f3e63cfcfdb26def9a48d38
              • Instruction Fuzzy Hash: 9C310B71D00209EFDF10DFE4DD84ADEBBB8FB09346F10416AE901A6251D7799E48DB29
              Function 0045D0EB Relevance: 18.3, APIs: 12, Instructions: 293COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00459419: __getptd_noexit.LIBCMT ref: 0045941A
                • Part of subcall function 00459419: __amsg_exit.LIBCMT ref: 00459427
              • _wcscmp.LIBCMT ref: 0045D1D1
              • _wcscmp.LIBCMT ref: 0045D1E7
              • ___get_qualified_locale.LIBCMT ref: 0045D238
                • Part of subcall function 00476474: _TranslateName.LIBCMT ref: 004764B4
                • Part of subcall function 00476474: _GetLocaleNameFromLangCountry.LIBCMT ref: 004764CD
                • Part of subcall function 00476474: _TranslateName.LIBCMT ref: 004764E8
                • Part of subcall function 00476474: _GetLocaleNameFromLangCountry.LIBCMT ref: 004764FE
                • Part of subcall function 00476474: IsValidCodePage.KERNEL32(00000000,?,?,00000055,?,?,0045D23D,?,?,?,?,00000004,?,00000000), ref: 00476552
              • GetACP.KERNEL32(?,?,?,?,?,00000004,?,00000000), ref: 0045D2CF
              • _memmove.LIBCMT ref: 0045D385
              • __lock.LIBCMT ref: 0045D3F9
              • InterlockedDecrement.KERNEL32(00000000), ref: 0045D40C
              • _free.LIBCMT ref: 0045D422
              • __lock.LIBCMT ref: 0045D43B
              • ___removelocaleref.LIBCMT ref: 0045D44A
              • ___freetlocinfo.LIBCMT ref: 0045D463
              • _free.LIBCMT ref: 0045D476
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Name$CountryFromLangLocaleTranslate__lock_free_wcscmp$CodeDecrementInterlockedPageValid___freetlocinfo___get_qualified_locale___removelocaleref__amsg_exit__getptd_noexit_memmove
              • String ID:
              • API String ID: 665088265-0
              • Opcode ID: 07ffa68bcf2bcac922a3ae1caa97632511d2964be4990ec12db0a23770f0c8f7
              • Instruction ID: 713b093c651da5770f1b690f59ef7bae99ce709ab75089e54b8d56ce779f4fd8
              • Opcode Fuzzy Hash: 07ffa68bcf2bcac922a3ae1caa97632511d2964be4990ec12db0a23770f0c8f7
              • Instruction Fuzzy Hash: 1F918571D00215AADB306F25CC41BAF77B8AF45356F14409BFD09A6243EA389E89CB59
              Function 00403040 Relevance: 18.2, APIs: 12, Instructions: 225COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(17703A82,?,74DEE010), ref: 0040308E
              • SetLastError.KERNEL32(004CC554,00000000,00000000,000000FF,?,74DEE010), ref: 004030E4
              • GetLastError.KERNEL32(?,?,74DEE010), ref: 00403130
              • SysFreeString.OLEAUT32(004CC554), ref: 00403148
              • SysFreeString.OLEAUT32(00000007), ref: 00403153
              • SetLastError.KERNEL32(?), ref: 00403173
              • GetLastError.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 00403263
              • SetLastError.KERNEL32(?,00000007,00000000,000000FF), ref: 004032B7
              • GetLastError.KERNEL32 ref: 004032C4
              • SysFreeString.OLEAUT32(00000000), ref: 004032E0
              • SysFreeString.OLEAUT32(00000007), ref: 004032EB
              • SetLastError.KERNEL32(004CC050), ref: 0040330B
                • Part of subcall function 00404270: GetLastError.KERNEL32 ref: 004042D7
                • Part of subcall function 00404270: SetLastError.KERNEL32(004CC554,00000000,00000000,000000FF), ref: 0040433A
                • Part of subcall function 00404270: GetLastError.KERNEL32(?,?,000000FF,?,00000001,00000000), ref: 004043F5
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeString
              • String ID:
              • API String ID: 2425351278-0
              • Opcode ID: 2f9c779a2a1f39f8c2843447db9b9a72234d4f1aa12b4891fc94c2ab51ef26e5
              • Instruction ID: 280f51470b2ec95161b9141670e89524219895895066b14a7c45bc7a4ab41cf5
              • Opcode Fuzzy Hash: 2f9c779a2a1f39f8c2843447db9b9a72234d4f1aa12b4891fc94c2ab51ef26e5
              • Instruction Fuzzy Hash: 5B912A71900218DFDB10DFA5C944B9EBBF4BF09308F14416AE815BB291DB79AA05CF98
              Function 00497673 Relevance: 18.2, APIs: 8, Strings: 4, Instructions: 151stringCOMMON
              Download Yara Rule
              APIs
              • lstrcpynA.KERNEL32(?,?,?,?,?,?,004978D0,004CBCD0,00000000,?,?), ref: 004976F4
              • lstrcmpA.KERNEL32(?,NoRemove,?,?,?,004978D0,004CBCD0,00000000,?,?), ref: 00497706
              • lstrcmpA.KERNEL32(?,ForceRemove,?,?,?,004978D0,004CBCD0,00000000,?,?), ref: 00497744
              • lstrcmpA.KERNEL32(?,val,?,?,?,004978D0,004CBCD0,00000000,?,?), ref: 00497757
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: lstrcmp$lstrcpyn
              • String ID: ForceRemove$HKCR$NoRemove$val
              • API String ID: 3250216649-3921688442
              • Opcode ID: 75b2a73f244b1899332f79a5068acf3e8d459eedd1b548a40d74475121fa42e3
              • Instruction ID: c1d00ea1dc520e6cd7b9dda6c163582e7e7ff41b4bb3449664fc67a69a2c5d8f
              • Opcode Fuzzy Hash: 75b2a73f244b1899332f79a5068acf3e8d459eedd1b548a40d74475121fa42e3
              • Instruction Fuzzy Hash: 4C41377021C7055EEF248ABD8D84B77BFE96F45700F240ABBE142C26A1D2ACF8418B18
              Function 00424D13 Relevance: 18.1, APIs: 12, Instructions: 104memoryfileCOMMON
              Download Yara Rule
              APIs
              • GetFileSize.KERNEL32(?,00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424D2C
              • GetProcessHeap.KERNEL32(00000008,00000001,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424D4D
              • HeapAlloc.KERNEL32(00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424D54
              • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF), ref: 00424D72
              • _strlen.LIBCMT ref: 00424D81
              • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424DB6
              • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424DBD
              • GetProcessHeap.KERNEL32(00000008,00000003,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424DCD
              • HeapAlloc.KERNEL32(00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424DD4
              • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF), ref: 00424DEE
              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424E0C
              • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424E13
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Heap$Process$File$AllocFreeRead$Size_strlen
              • String ID:
              • API String ID: 3537955524-0
              • Opcode ID: 4ac23a01925b44d0639acd5a6f8b75a8c0e3087c76e8475dac96cb0d1a4aca40
              • Instruction ID: 52608a0919728d71b664b08e74e1f3718ae5c8b634a7eee44146bdb3f94ec57b
              • Opcode Fuzzy Hash: 4ac23a01925b44d0639acd5a6f8b75a8c0e3087c76e8475dac96cb0d1a4aca40
              • Instruction Fuzzy Hash: 7B319231600224BBDB209FA5EC49FAB7BECFF89755F910229F905D7190DB789904C768
              Function 00445A4B Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 431COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch_GS.LIBCMT ref: 00445A55
                • Part of subcall function 00444E32: __EH_prolog3_GS.LIBCMT ref: 00444E3C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_H_prolog3_catch_
              • String ID: ($2$InstalledProductName$PackageCode$Upgrade check: checking product code %s$Upgrade check: later product version already installed$Upgrade check: obtained package code %s from machine, current package code is %s$VersionString$session.cpp
              • API String ID: 2112800272-2579191198
              • Opcode ID: 3631386d8b83461b12de42aa2cb28361e8850fd59326c7ddb9804d4aed4d7392
              • Instruction ID: d7e68a3f74c613ad059faa4a985cf5a9546cfa1c6d17a1d2c0e7d0ef0e35dbc8
              • Opcode Fuzzy Hash: 3631386d8b83461b12de42aa2cb28361e8850fd59326c7ddb9804d4aed4d7392
              • Instruction Fuzzy Hash: 31129D70801248DFDB24DBA5C956BDDBBB4AF11308F1040EEE54567192DBB86F88CF6A
              Function 00406A00 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 378COMMON
              Download Yara Rule
              APIs
              • _memmove.LIBCMT ref: 00406B03
              • _memmove.LIBCMT ref: 00406B3C
              • _memmove.LIBCMT ref: 00406B79
              • _memmove.LIBCMT ref: 00406D76
                • Part of subcall function 00407350: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00407399
                • Part of subcall function 00407350: _memmove.LIBCMT ref: 004073C1
                • Part of subcall function 00407350: SysFreeString.OLEAUT32 ref: 004073D1
              • _memmove.LIBCMT ref: 00406BF6
              • _memmove.LIBCMT ref: 00406C7A
              • _memmove.LIBCMT ref: 00406CF7
              • _memmove.LIBCMT ref: 00406D3A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memmove$String$AllocFree
              • String ID: invalid string position$string too long
              • API String ID: 4249169437-4289949731
              • Opcode ID: da424c7788026802c9d0ae4730ce7e7c547b907c7b3021d8e583079445c55ea6
              • Instruction ID: a1d474c7d035796915a937025ea7b3897fd29396072d0b45310e87ee83915f24
              • Opcode Fuzzy Hash: da424c7788026802c9d0ae4730ce7e7c547b907c7b3021d8e583079445c55ea6
              • Instruction Fuzzy Hash: 59D18070700109DBCB14CF58C9C09AA73BAFF85744721453FE846EB295DB38E965CBA9
              Function 0049877E Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 345COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memmove
              • String ID: invalid string position$string too long
              • API String ID: 4104443479-4289949731
              • Opcode ID: 29b5fee22fd76fab4af3c7b9b91334e3cba193e9987aff2df4171cc255f88379
              • Instruction ID: 600b50233ec6b8f0e352e9c2c1a6f646f46f154a696964a37f136c7055cb462d
              • Opcode Fuzzy Hash: 29b5fee22fd76fab4af3c7b9b91334e3cba193e9987aff2df4171cc255f88379
              • Instruction Fuzzy Hash: C9D14B71A00209DFCF24CF4CD98199ABBB5AF4A744B24493FE945C7701DB38EA51CBA9
              Function 0042564C Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 270libraryloaderCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00425656
              • GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 004256DB
              • GetModuleFileNameW.KERNEL32(00000000,00000400,?,00000400), ref: 004257BA
                • Part of subcall function 00444E32: __EH_prolog3_GS.LIBCMT ref: 00444E3C
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorH_prolog3_Last$AddressFileH_prolog3ModuleNameProc
              • String ID: Could not find entry point in ISSetup.dll$ISSetup.dll$IsMsiHelper.cpp$Launching InstallScript engine: %s, %s, %d$RunISMSISetup$setup.exe$w
              • API String ID: 1938318566-2138724763
              • Opcode ID: b3839d6fa9fa6a5cb876bdc9c458e143e64f6972e0965547a397815d02a73560
              • Instruction ID: 6752fc03f1eebfb321e8203037a63e197ffc8ba5f0818ae90b7b832457301e5f
              • Opcode Fuzzy Hash: b3839d6fa9fa6a5cb876bdc9c458e143e64f6972e0965547a397815d02a73560
              • Instruction Fuzzy Hash: BDC18C70901228DEDB24DF64C885BDDBBB0BF15304F5441EEE189A7292DBB85E84CF58
              Function 00446C3F Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 248stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00446C49
                • Part of subcall function 0043E855: __EH_prolog3.LIBCMT ref: 0043E85C
                • Part of subcall function 0043E8D3: GetVersionExW.KERNEL32(?,?,?), ref: 0043E910
                • Part of subcall function 0043E8D3: GetSystemInfo.KERNEL32(?,?,?), ref: 0043E962
                • Part of subcall function 00418FA2: __EH_prolog3.LIBCMT ref: 00418FA9
                • Part of subcall function 00419949: __EH_prolog3_GS.LIBCMT ref: 00419953
              • lstrlenW.KERNEL32(?), ref: 00446F2B
                • Part of subcall function 0044477D: __EH_prolog3_catch.LIBCMT ref: 00444784
                • Part of subcall function 0044477D: lstrcmpW.KERNEL32(?,004CBE7C,?,?,004CBE7C,?,?,00000004,00446CDB,Startup,Source,00000001,?,00000400,00000452), ref: 004447AC
                • Part of subcall function 00444836: __EH_prolog3_GS.LIBCMT ref: 00444840
              • ~_Task_impl.LIBCPMT ref: 00446FC3
              • ~_Task_impl.LIBCPMT ref: 00446FD6
                • Part of subcall function 0043CC4C: __EH_prolog3_GS.LIBCMT ref: 0043CC56
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$H_prolog3Task_impl$H_prolog3_catchInfoSystemVersionlstrcmplstrlen
              • String ID: BetaMarker.dat$EvalMarker.dat$KEY$PASSWORD$Source$Startup
              • API String ID: 4055012072-1230491432
              • Opcode ID: 18bb45b57fdd23d684fa022fafe62985fd11dc6d9c192149842d9c5882c648d8
              • Instruction ID: de259005b61d89fcbc9b487034d299c3e56394550c478788cb94039eeb037315
              • Opcode Fuzzy Hash: 18bb45b57fdd23d684fa022fafe62985fd11dc6d9c192149842d9c5882c648d8
              • Instruction Fuzzy Hash: 52910670A062549AFB24EB61CC45BFEB7A8AF41308F0540DFA449A31D2DF7C5E49CB59
              Function 0049360F Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 208stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,00000000,?,000000FF,000000FF,?,0044867A,000000FF,00000000,80400100,?,00000000,00484A59,004BAB98,80000000), ref: 00493682
              • lstrcpyW.KERNEL32(00000000,?,?,000000FF,000000FF,?,0044867A,000000FF,00000000,80400100,?,00000000,00484A59,004BAB98,80000000,00000001), ref: 004936A3
              • lstrlenW.KERNEL32(?,?,00000000,?,000000FF,000000FF,?,0044867A,000000FF,00000000,80400100,?,00000000,00484A59,004BAB98,80000000), ref: 004936AA
              • lstrlenW.KERNEL32(?,?,000000FF,000000FF,?,0044867A,000000FF,00000000,80400100,?,00000000,00484A59,004BAB98,80000000,00000001,00000080), ref: 004936CE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: lstrlen$lstrcpy
              • String ID: @
              • API String ID: 805584807-2766056989
              • Opcode ID: 40ac534942d8d968c735c363444220701250bb967c17bbbaf77cd8449bad3781
              • Instruction ID: eb7c4500755345fdb9bee4f0ce9b4a99cf8e42d9f63768c9f9906be314107150
              • Opcode Fuzzy Hash: 40ac534942d8d968c735c363444220701250bb967c17bbbaf77cd8449bad3781
              • Instruction Fuzzy Hash: F66181B2600305AFDB149F69DC85A6ABBE8FF55315F10852FF902CA291D7B8ED418B14
              Function 0041760C Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 185sleepfileCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Sleep$DeleteDirectoryFileH_prolog3_Remove
              • String ID: DeleterDeleteFile$DeleterDeleteFolder$File=%s$Folder=%s$ISSetupDLLOp
              • API String ID: 3597207528-1636184637
              • Opcode ID: 7000bf39655dd050f44fa6b16720351fcf01f9a6ab8552d23980eadd3531b706
              • Instruction ID: d6d6a0f111680f4c95e7c0cc70a52cac69f487ffd385e1ba14e4bd3d980408f3
              • Opcode Fuzzy Hash: 7000bf39655dd050f44fa6b16720351fcf01f9a6ab8552d23980eadd3531b706
              • Instruction Fuzzy Hash: 26610D71E05244EFEF04EBA8C9467EDBB71AF01304F50405AE411AB2C1D77CAE89C7AA
              Function 00421D01 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00421D08
              • DefWindowProcW.USER32(?,?,?,?,0000006C), ref: 00421D38
              • GetWindowLongW.USER32(?,000000EB), ref: 00421D4E
              • BeginPaint.USER32(?,?), ref: 00421D5E
              • EndPaint.USER32(?,?,?,00000000,00000000,00000000,?), ref: 00421D89
              • GetWindowLongW.USER32(?,000000EB), ref: 00421D97
              • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00421DEE
              • GetClientRect.USER32(?,?), ref: 00421DFB
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000256), ref: 00421E49
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Window$Long$Paint$BeginClientH_prolog3_ProcRect
              • String ID: GIF
              • API String ID: 4259225933-881873598
              • Opcode ID: 2143fa768cb4aefea25606dfbc65d418e1ec89f835c70087922b8334928e6fa6
              • Instruction ID: 8e95f90d601a3422d85fcdbcc4402ab238ad0e12aa88a65947a112820c58fb1b
              • Opcode Fuzzy Hash: 2143fa768cb4aefea25606dfbc65d418e1ec89f835c70087922b8334928e6fa6
              • Instruction Fuzzy Hash: 4E41B371A00218EFCB109FA5ED458AEBFB4FF54321B61422AF815A72B1C7389D11DB18
              Function 004279F2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 59COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CharNext
              • String ID: /f1$/f2
              • API String ID: 3213498283-21253999
              • Opcode ID: e9aa193cff05aa004ea64d4b899d42c56ab57cc961ea388a7c312e75e72a7d8b
              • Instruction ID: 2d0946e220a1973c966914dd148467819fc68aae60bf03284e557c4686bde946
              • Opcode Fuzzy Hash: e9aa193cff05aa004ea64d4b899d42c56ab57cc961ea388a7c312e75e72a7d8b
              • Instruction Fuzzy Hash: 1301D670A19935AFDA1067365C1897F3E1CEF813A879402ABB409A31D1CB6C6D01DAFD
              Function 0044D8E3 Relevance: 16.7, APIs: 11, Instructions: 248fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044D8ED
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
              • CreateFileW.KERNEL32(000000FF,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000084,0044EC35,?,?), ref: 0044D9C9
              • GetLastError.KERNEL32(?,?,00000084,0044EC35,?,?,?,?,?,?), ref: 0044D9D3
              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,00000080,00000000,?,?,00000084,0044EC35,?,?,?,?,?), ref: 0044DA15
              • GetLastError.KERNEL32(?,?,00000084,0044EC35,?,?,?,?,?,?), ref: 0044DA1E
              • CloseHandle.KERNEL32(?,?,?,00000084,0044EC35,?,?,?,?,?,?), ref: 0044DA2A
              • GetFileSize.KERNEL32(?,00000000,?,?,?,00000084,0044EC35,?,?,?,?,?,?), ref: 0044DA41
              • CloseHandle.KERNEL32(?,?,?,00000084,0044EC35,?,?,?,?,?,?), ref: 0044DA4D
              • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,?,?,00000084,0044EC35,?,?,?,?,?), ref: 0044DA67
                • Part of subcall function 0044E828: _memset.LIBCMT ref: 0044E838
                • Part of subcall function 0044E828: lstrcpyA.KERNEL32(?), ref: 0044E855
              • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?,00000000,00000000,?,?,00000084,0044EC35,?,?,?), ref: 0044DA93
                • Part of subcall function 0044EE57: SetFilePointer.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,0044DF8B,00000000,?,00000000,00000000), ref: 0044EE77
                • Part of subcall function 0044EE57: GetLastError.KERNEL32(?,?,?,?,0044DF8B,00000000,?,00000000,00000000), ref: 0044EE7F
              • CloseHandle.KERNEL32(00000000,?,?,?,00000001,00000000,00000000,00000000,00000002,00000000,00000000,?,00000000,00000000), ref: 0044DBB1
                • Part of subcall function 0044EE9D: _memset.LIBCMT ref: 0044EEC3
                • Part of subcall function 0044EE9D: _strcat.LIBCMT ref: 0044EED4
                • Part of subcall function 0044EE9D: WriteFile.KERNEL32(?,00000000,000000FF,?,00000000), ref: 0044EF90
                • Part of subcall function 0044EE9D: GetLastError.KERNEL32 ref: 0044EF9A
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$CloseErrorHandleLast$CreateWrite_memset$H_prolog3_PointerSize_malloc_strcatlstrcpy
              • String ID:
              • API String ID: 4039743174-0
              • Opcode ID: a9b219b4f1f0321f01f2cfc5f9b8a80b7efa42f2c96dcaecbb9135805c1d7e02
              • Instruction ID: 6b9b2551c44329d1a61a04ce86264f925db9e7bd6f568157b6655a0b34dc337e
              • Opcode Fuzzy Hash: a9b219b4f1f0321f01f2cfc5f9b8a80b7efa42f2c96dcaecbb9135805c1d7e02
              • Instruction Fuzzy Hash: C6918170A00605AFFB249B71CD85BAEBBB9BF04708F20415EF552E7291DB38A950CB18
              Function 0049CBA0 Relevance: 16.7, APIs: 11, Instructions: 185COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: d90e7d79621305640dc55bc0cdcc1a5e92d531bbb41b4b95714be7155acf093c
              • Instruction ID: 2569bbf17f5cc729b3ddd318eb54891d8f3c2bef7d839ecfd5e80019a342f288
              • Opcode Fuzzy Hash: d90e7d79621305640dc55bc0cdcc1a5e92d531bbb41b4b95714be7155acf093c
              • Instruction Fuzzy Hash: CB518FF1540202EFDF209F60D885A95BBF9EF1A356B30087BE884CA247E779C955CB58
              Function 0045D639 Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock_wcscmp
              • String ID:
              • API String ID: 1077091919-0
              • Opcode ID: cc43f73cdbef16361ad674c9f910d1912844d0dc622181f82d8dabade22c81a9
              • Instruction ID: 85d6c8cf33117b9f9ed32776889c8a643744956c1acee784f8fef3b5e304baf5
              • Opcode Fuzzy Hash: cc43f73cdbef16361ad674c9f910d1912844d0dc622181f82d8dabade22c81a9
              • Instruction Fuzzy Hash: 0F41A532904305EFDB20AFA6D88279D77A0AF0831AF10442FFD0956293DB7D8949CB5D
              Function 00440FA4 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 453stringregistryCOMMON
              Download Yara Rule
              APIs
              • lstrcmpiW.KERNEL32(?,Delete,?,17703A82,?,00000000,00000000,?,004AAAD5,000000FF,?,00440DDC,?,00000000,00000000,00000000), ref: 00441031
              • lstrcmpiW.KERNEL32(?,ForceRemove,?,00000000,00000000,?,004AAAD5,000000FF,?,00440DDC,?,00000000,00000000,00000000,?,?), ref: 00441048
              • lstrcmpiW.KERNEL32(?,NoRemove,?,?,00000000,00000000,?,004AAAD5,000000FF,?,00440DDC,?,00000000,00000000,00000000,?), ref: 00441138
              • lstrcmpiW.KERNEL32(?,Val,?,00000000,00000000,?,004AAAD5,000000FF,?,00440DDC,?,00000000,00000000,00000000,?,?), ref: 00441160
                • Part of subcall function 00440819: CharNextW.USER32(?,?,00000000,?,?,?,?,0043FD0C,?,17703A82,?,?,?,?,?,004AA98E), ref: 00440854
                • Part of subcall function 00440819: CharNextW.USER32(?,?,?,00000000,?,?,?,?,0043FD0C,?,17703A82), ref: 004408DA
                • Part of subcall function 00440819: CharNextW.USER32(00000000,?,?,00000000,?,?,?,?,0043FD0C,?,17703A82), ref: 00440871
                • Part of subcall function 00440819: CharNextW.USER32(00000000,?,?,00000000,?,?,?,?,0043FD0C,?,17703A82), ref: 0044087F
                • Part of subcall function 00440819: CharNextW.USER32(00000027,00000000,?,00000000,?,?,?,?,0043FD0C,?,17703A82), ref: 004408F9
              • RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,?,?,?), ref: 0044126F
                • Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
                • Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977
                • Part of subcall function 004018F0: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0040192B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CharNext$lstrcmpi$AddressCloseDeleteHandleModuleProcValue
              • String ID: Delete$ForceRemove$NoRemove$Val
              • API String ID: 3600369491-1781481701
              • Opcode ID: 411bd473e2821aa148ad36b50fcad205629a9d13a544705b1d8392f0c2862176
              • Instruction ID: 6a14e75d67ed6cd6ecef82186e8d332a0c49f20cc3017f29f3ad138fccb35c25
              • Opcode Fuzzy Hash: 411bd473e2821aa148ad36b50fcad205629a9d13a544705b1d8392f0c2862176
              • Instruction Fuzzy Hash: EEF19531D01229BAEB35EF659C447AEB7B4AB54714F0041AFE806E72A1D7388FC4CE59
              Function 004418FE Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 262COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00441908
                • Part of subcall function 0043F800: __EH_prolog3.LIBCMT ref: 0043F807
                • Part of subcall function 00440709: InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000000,?,0043F6F7,?,?,0043F681,00000004,00000000), ref: 0044070E
                • Part of subcall function 00440709: GetLastError.KERNEL32(?,0043F6F7,?,?,0043F681,00000004,00000000), ref: 00440718
              • GetModuleFileNameW.KERNEL32(00400000,?,00000104), ref: 0044198A
              • GetModuleHandleW.KERNEL32(00000000), ref: 004419E5
              • __EH_prolog3_GS.LIBCMT ref: 00441ADA
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000A64), ref: 00441BBD
              • GetModuleFileNameW.KERNEL32(00400000,?,00000104), ref: 00441B5F
                • Part of subcall function 0043FBF8: __EH_prolog3.LIBCMT ref: 0043FBFF
                • Part of subcall function 0043FBF8: EnterCriticalSection.KERNEL32(?,?,?,?,00000000), ref: 0043FC17
                • Part of subcall function 0043FBF8: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000), ref: 0043FC36
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Module$CriticalSection$FileH_prolog3H_prolog3_HandleName$CountEnterErrorInitializeLastLeaveSpin
              • String ID: Module$Module_Raw$REGISTRY
              • API String ID: 3285820555-549000027
              • Opcode ID: cb7a652eaf0450ead21ef7d54d14bf707ab47f7efb37cb7daf9fb038229abd98
              • Instruction ID: 43252e37b81660aedb19cec84f12173032aaf46b92a4a05d4a3512892f0425f6
              • Opcode Fuzzy Hash: cb7a652eaf0450ead21ef7d54d14bf707ab47f7efb37cb7daf9fb038229abd98
              • Instruction Fuzzy Hash: 47A1B672A002189BEB20DB50CD50BEE73B8AF45314F1401EBE945A3151E779EF98CB6A
              Function 00404770 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 185COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32 ref: 004047CB
              • SetLastError.KERNEL32(004CC554), ref: 00404803
              • GetLastError.KERNEL32(?), ref: 0040492A
              • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00404983
              • GetLastError.KERNEL32 ref: 00404992
              • SysFreeString.OLEAUT32(?), ref: 004049B0
              • SysFreeString.OLEAUT32(?), ref: 004049BD
              • SetLastError.KERNEL32(?), ref: 004049E1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeString
              • String ID: \
              • API String ID: 2425351278-2967466578
              • Opcode ID: 7a202637f4329a40bba4555226cc449ff29078e900993fd760111c6a064f4d29
              • Instruction ID: 2103005a252cd7b8a5b06c9a9e18cea7d9e2b360615a0d7bd836a97d1cdc4b32
              • Opcode Fuzzy Hash: 7a202637f4329a40bba4555226cc449ff29078e900993fd760111c6a064f4d29
              • Instruction Fuzzy Hash: 27717CB11083409FD710DF24C884B5BBBF4BF89318F108A2EE5599B2D1DB79E944CB8A
              Function 0045094E Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 179filelibraryloaderCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00450958
                • Part of subcall function 0048C09A: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00450985,000000BC,0042DDE4,?,004CC0A0,00000000,?,?,?,?,0000000C), ref: 0048C0AD
                • Part of subcall function 0048C09A: GetProcAddress.KERNEL32(00000000), ref: 0048C0B4
                • Part of subcall function 0048C09A: GetCurrentProcess.KERNEL32(00000000,?,?,00450985,000000BC,0042DDE4,?,004CC0A0,00000000,?,?,?,?,0000000C,0000000C,?), ref: 0048C0C4
              • CreateFileW.KERNEL32(00000015,80000000,00000001,00000000,00000003,00000080,00000000,000000BC,0042DDE4,?,004CC0A0,00000000,?,?,?,?), ref: 004509B3
              • GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 004509F3
              • GetProcAddress.KERNEL32(00000000), ref: 004509FA
                • Part of subcall function 00411456: __EH_prolog3.LIBCMT ref: 0041145D
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              Strings
              • GetFinalPathNameByHandleW, xrefs: 004509E9
              • \\?\, xrefs: 00450AA4
              • Corrected file path: new path is '%s' (was this on localappdata in system context? old: '%s'), xrefs: 00450B66
              • utils.cpp, xrefs: 00450B6C
              • kernel32.dll, xrefs: 004509EE
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressErrorFreeHandleLastModuleProcString$CreateCurrentFileH_prolog3H_prolog3_Process
              • String ID: Corrected file path: new path is '%s' (was this on localappdata in system context? old: '%s')$GetFinalPathNameByHandleW$\\?\$kernel32.dll$utils.cpp
              • API String ID: 2316756493-2043974176
              • Opcode ID: e695743a9c1cec9086bb217ddbac7d01d3c32df510854cca4e3276e5d1008176
              • Instruction ID: 5d5129fe3c433f03c72f0f060c85aeb3da9a424f7d6cc37482e5c7168d4d8cb8
              • Opcode Fuzzy Hash: e695743a9c1cec9086bb217ddbac7d01d3c32df510854cca4e3276e5d1008176
              • Instruction Fuzzy Hash: 86717270900318EEDB10DBA4CC95BDEB7B8AF05309F10409EE549B7192DB785E89CF69
              Function 0042F28F Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 176COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0042F299
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 0044661C: _memset.LIBCMT ref: 00446648
                • Part of subcall function 0042F538: __EH_prolog3_catch_GS.LIBCMT ref: 0042F542
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 004457A9: __EH_prolog3_GS.LIBCMT ref: 004457B0
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
              • _memset.LIBCMT ref: 0042F3A4
              • _memset.LIBCMT ref: 0042F3BF
                • Part of subcall function 00450D2A: lstrcpyW.KERNEL32(000003FE,004CBE7C,?), ref: 00450D68
                • Part of subcall function 00450D2A: lstrcpyW.KERNEL32(00000000,004CBE7C), ref: 00450D70
                • Part of subcall function 00450D2A: _malloc.LIBCMT ref: 00450D8A
                • Part of subcall function 00450D2A: _memset.LIBCMT ref: 00450D9B
                • Part of subcall function 00450D2A: _memset.LIBCMT ref: 00450DC6
                • Part of subcall function 00450D2A: wsprintfW.USER32 ref: 00450E18
                • Part of subcall function 00450D2A: _memset.LIBCMT ref: 00450E30
                • Part of subcall function 004519EB: lstrcpyW.KERNEL32(?,@&O,00000000), ref: 00451A24
                • Part of subcall function 004519EB: lstrcpyW.KERNEL32(?,00000001), ref: 00451A2E
                • Part of subcall function 004519EB: _swscanf.LIBCMT ref: 00451AA3
                • Part of subcall function 004519EB: _swscanf.LIBCMT ref: 00451ACC
                • Part of subcall function 004507E7: __EH_prolog3_GS.LIBCMT ref: 004507F1
                • Part of subcall function 004507E7: wsprintfW.USER32 ref: 00450833
                • Part of subcall function 004507E7: wvsprintfW.USER32(?,?,00000000), ref: 0045084E
              Strings
              • Msi.DLL, xrefs: 0042F3CF
              • Startup, xrefs: 0042F33F
              • 4.05.0.0, xrefs: 0042F3DD
              • msiaction.cpp, xrefs: 0042F422
              • ScriptDriven, xrefs: 0042F322
              • Windows Installer 4.5 or newer is required to run this installation but is not present on the machine. Setup will now exit., xrefs: 0042F43F
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast_memset$lstrcpy$H_prolog3_$FreeString_swscanfwsprintf$H_prolog3_catch__mallocwvsprintf
              • String ID: 4.05.0.0$Msi.DLL$ScriptDriven$Startup$Windows Installer 4.5 or newer is required to run this installation but is not present on the machine. Setup will now exit.$msiaction.cpp
              • API String ID: 2702353906-2222384249
              • Opcode ID: a676779e2a0bceb3a6e345e59a2a18b38e9ed199ab4ae6513cad6176a83f4ca5
              • Instruction ID: 27c1c3d43acca1f0e8a518fd3f024bc8e5a7cd952ec3d4280b66c7106e6c55d0
              • Opcode Fuzzy Hash: a676779e2a0bceb3a6e345e59a2a18b38e9ed199ab4ae6513cad6176a83f4ca5
              • Instruction Fuzzy Hash: 316194B1A00158AADF20DBA1DC91BEE77799B44304F9440FBA609A71C2DB785F8CCB5D
              Function 00401CA0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 171COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32 ref: 00401D66
              • SetLastError.KERNEL32(004CC554), ref: 00401D9E
              • GetLastError.KERNEL32(?,00000104), ref: 00401E22
              • SetLastError.KERNEL32(004CC554), ref: 00401E69
              • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 00401EA6
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
              Strings
              • VerboseLogPath, xrefs: 00401DE9
              • InstallShield.log, xrefs: 00401F1F
              • SOFTWARE\InstallShield\22.0\Professional, xrefs: 00401D36
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FileModuleName
              • String ID: InstallShield.log$SOFTWARE\InstallShield\22.0\Professional$VerboseLogPath
              • API String ID: 1026760046-3531651620
              • Opcode ID: bae7db54c76f1ff621606428ea6de2b0a0ff475b64bb19ddee82474f647aaeee
              • Instruction ID: 34aa1967c255c079ae8a97c417ddb1dbb9f0deec2d2c0129669ea1b7d2b74f4e
              • Opcode Fuzzy Hash: bae7db54c76f1ff621606428ea6de2b0a0ff475b64bb19ddee82474f647aaeee
              • Instruction Fuzzy Hash: 38713D701083809FD320DF65C855B9BBBE4BF98708F40492EF599972E1DBB89548CB6B
              Function 00430DAD Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 153stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00430DB7
                • Part of subcall function 0042B91E: __EH_prolog3_GS.LIBCMT ref: 0042B925
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
              • lstrcpyW.KERNEL32(?,?,0000002C,00000000,?,00000001,000002B4,00437B5F,00000002,?,004CC554,?,?,00000001,00000000,?), ref: 00430E5D
              • lstrcatW.KERNEL32(?,langpack20.exe), ref: 00430E82
              • lstrcpyW.KERNEL32(?,?,?,004CC0A0,00000001,00000000,?,?,00000001), ref: 00430EFA
              • lstrcatW.KERNEL32(?,vjredist20-LP.exe), ref: 00430F1F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorH_prolog3_Lastlstrcatlstrcpy
              • String ID: langpack.exe$langpack20.exe$vjredist-LP.exe$vjredist20-LP.exe
              • API String ID: 479913987-1679877701
              • Opcode ID: e2983b5e173a7346a89b6ace1a31f5a6f3209856199403c82fb22147205318a1
              • Instruction ID: 246b755fa80c358cc829cf3aa614b33323084beb9dd882a49820768a81a9e3a0
              • Opcode Fuzzy Hash: e2983b5e173a7346a89b6ace1a31f5a6f3209856199403c82fb22147205318a1
              • Instruction Fuzzy Hash: 6D51A131A00218EFCB60DB64CC99BDEB7B8AB14304F5002EFE149A6191DB789F85CF59
              Function 00445358 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 143COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00445362
              • _memset.LIBCMT ref: 0044538E
                • Part of subcall function 0044477D: __EH_prolog3_catch.LIBCMT ref: 00444784
                • Part of subcall function 0044477D: lstrcmpW.KERNEL32(?,004CBE7C,?,?,004CBE7C,?,?,00000004,00446CDB,Startup,Source,00000001,?,00000400,00000452), ref: 004447AC
              • wsprintfW.USER32 ref: 004453CA
              • CharNextW.USER32(?), ref: 004453DD
              • CharNextW.USER32(00000000), ref: 004453E0
                • Part of subcall function 0041292E: __EH_prolog3_GS.LIBCMT ref: 00412935
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CharErrorH_prolog3_LastNext$H_prolog3_catch_memsetlstrcmpwsprintf
              • String ID: %#x$C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}$Setup.bmp$Type
              • API String ID: 539155021-2263260222
              • Opcode ID: 552bfa01791b3073b9c744385007b3e15aa50b5dedf5ea800afb0ce34f8db48f
              • Instruction ID: 398a31335f712b45a317f1641cef8221850d01bbdac03d641ab2d51afd96452e
              • Opcode Fuzzy Hash: 552bfa01791b3073b9c744385007b3e15aa50b5dedf5ea800afb0ce34f8db48f
              • Instruction Fuzzy Hash: 0341E9B1A00318BBDB20EB64DC46FEE777CEF45704F00459BB509A6186DA785B84CF95
              Function 00493989 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 116stringCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,00493BE2,?,00000000,?,00000001,?,00442017,?,?,00000000,0000008C,004484F8,?,00000003,00000000), ref: 004939B9
              • wsprintfW.USER32 ref: 004939ED
              • lstrcatW.KERNEL32(?,?,?,00493BE2,?,00000000,?,00000001,?,00442017,?,?,00000000,0000008C,004484F8,?), ref: 00493A01
              • ResetEvent.KERNEL32(?,00000002,?,00493BE2,?,00000000,?,00000001,?,00442017,?,?,00000000,0000008C,004484F8,?), ref: 00493A10
              • GetLastError.KERNEL32(?,00493BE2,?,00000000,?,00000001,?,00442017,?,?,00000000,0000008C,004484F8,?,00000003,00000000), ref: 00493A1C
              • ResetEvent.KERNEL32(0000000E,00000002,?,00493BE2,?,00000000,?,00000001,?,00442017,?,?,00000000,0000008C,004484F8,?), ref: 00493A77
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorEventLastReset$lstrcatwsprintf
              • String ID: A$Range: bytes=%d-$Range: bytes=%d-
              • API String ID: 2894917480-4039695729
              • Opcode ID: 0c8336cd0f08749350e999e6e8559923d8a81dd9901c7dcfaf48193840dbc3c2
              • Instruction ID: 3a3eed02168d8fd45d0b2d86d50e482580bea76f68d309add814a4a3e0c7f2a1
              • Opcode Fuzzy Hash: 0c8336cd0f08749350e999e6e8559923d8a81dd9901c7dcfaf48193840dbc3c2
              • Instruction Fuzzy Hash: 8D415171100100EFDF199F55DC88A2A3FA9FF46705B1840BAFD05CA26AD739DD40DB19
              Function 004121F8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72windowregistryCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(0000000C,InstallShieldMSIDelete10), ref: 00412225
              • LoadCursorW.USER32(00000000,00007F00), ref: 00412234
              • GetStockObject.GDI32(00000004), ref: 0041223F
              • RegisterClassW.USER32(00000003), ref: 00412256
              • CreateWindowExW.USER32(00000000,InstallShieldMSIDelete10,InstallShieldMSIDelete10,80000000,00000000,00000000,00000000,00000000,00000000,00000000,0000000C,?), ref: 0041227A
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004122A7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Load$ClassCreateCursorIconMessageObjectRegisterStockWindow
              • String ID: InstallShieldMSIDelete10
              • API String ID: 195796534-324135598
              • Opcode ID: 19b92b204a4f864660887ab178c1fcb28afe87d02313e818b7a8213181ac2d77
              • Instruction ID: 9c13ae79201e5692500b712435aaff0666dbc01fb37437ed5c723e6526902329
              • Opcode Fuzzy Hash: 19b92b204a4f864660887ab178c1fcb28afe87d02313e818b7a8213181ac2d77
              • Instruction Fuzzy Hash: 2C11F9B2D04219AFDB009FE59D88EEFBBBCEB08744B114566F905E3200DB7C99458B78
              Function 00452D09 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • std::exception::exception.LIBCMT ref: 00452D1C
                • Part of subcall function 00457114: std::exception::_Copy_str.LIBCMT ref: 0045712D
              • __CxxThrowException@8.LIBCMT ref: 00452D31
                • Part of subcall function 00454622: RaiseException.KERNEL32(?,?,00452D08,00000000,?,?,?,?,00452D08,00000000,004E40A8,?), ref: 00454673
              • std::exception::exception.LIBCMT ref: 00452D4A
              • __CxxThrowException@8.LIBCMT ref: 00452D5F
              • std::regex_error::regex_error.LIBCPMT ref: 00452D71
                • Part of subcall function 004529E1: std::exception::exception.LIBCMT ref: 004529FB
              • __CxxThrowException@8.LIBCMT ref: 00452D7F
              • std::exception::exception.LIBCMT ref: 00452D98
              • __CxxThrowException@8.LIBCMT ref: 00452DAD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
              • String ID: bad function call
              • API String ID: 2464034642-3612616537
              • Opcode ID: 106716b55100ffc719e84f055591905f5ed8f27fb6eb9765de35100ff324ac04
              • Instruction ID: 11ef2a64f99ffe03ec034d46348afdb7f67e33598333b94d7f8b02e1852cce34
              • Opcode Fuzzy Hash: 106716b55100ffc719e84f055591905f5ed8f27fb6eb9765de35100ff324ac04
              • Instruction Fuzzy Hash: BF116375C0020C7BCB04EF95D8469CD7BBCAA44345F508567BE149A642EB78A7488BE9
              Function 0043E2B2 Relevance: 15.3, APIs: 10, Instructions: 262windowCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0043E2B9
              • GetDlgItem.USER32(?,00000000), ref: 0043E328
              • SendMessageW.USER32(00000000), ref: 0043E32B
              • GetDlgItem.USER32(?,00000000), ref: 0043E351
              • SendMessageW.USER32(00000000), ref: 0043E354
              • GetDlgItem.USER32(?,00000000), ref: 0043E3E4
              • SendMessageW.USER32(00000000), ref: 0043E3EB
              • EndDialog.USER32(?,00000002), ref: 0043E401
              • SetWindowTextW.USER32(?,-00000004), ref: 0043E452
              • DeleteObject.GDI32(00000040), ref: 0043E5E1
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ItemMessageSend$DeleteDialogH_prolog3_ObjectTextWindow
              • String ID:
              • API String ID: 804393631-0
              • Opcode ID: 6a48d1fbc2feb788621a9a053f18edcc6bd38d5d2cb98f54acf2ace4f99ce252
              • Instruction ID: 12f6e1648cdfb2c37e74b84b99007cc67fc6d999e8f2880e88516a3ecf84e0b8
              • Opcode Fuzzy Hash: 6a48d1fbc2feb788621a9a053f18edcc6bd38d5d2cb98f54acf2ace4f99ce252
              • Instruction Fuzzy Hash: 90915A71580144EFC7089FA5DC88DBF3BA9FF49349B110069F9018B2B6CB3A9D21CB69
              Function 00466739 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
              Download Yara Rule
              APIs
              • __lock.LIBCMT ref: 00466747
                • Part of subcall function 00467E1A: __mtinitlocknum.LIBCMT ref: 00467E2C
                • Part of subcall function 00467E1A: __amsg_exit.LIBCMT ref: 00467E38
                • Part of subcall function 00467E1A: EnterCriticalSection.KERNEL32(00000000,?,004594E9,0000000D), ref: 00467E45
              • __calloc_crt.LIBCMT ref: 00466758
                • Part of subcall function 00459134: __calloc_impl.LIBCMT ref: 00459143
                • Part of subcall function 00459134: Sleep.KERNEL32(00000000,?,00459459,00000001,000003BC), ref: 0045915A
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 00466773
              • GetStartupInfoW.KERNEL32(?,004E4698,00000064,00457FD3,004E42E0,00000014), ref: 004667CC
              • __calloc_crt.LIBCMT ref: 00466817
              • GetFileType.KERNEL32(00000001), ref: 0046685E
              • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00466897
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__amsg_exit__calloc_impl__lock__mtinitlocknum
              • String ID:
              • API String ID: 2673217650-0
              • Opcode ID: 97da874e6ddf7dac071c50cfb9c13422c53718de2b7e953c9513ca866a93db2f
              • Instruction ID: 6e47bdcf3aa8115dfaf2f4e9840155fc1bda63f70d0c5b0271b241f424a3249c
              • Opcode Fuzzy Hash: 97da874e6ddf7dac071c50cfb9c13422c53718de2b7e953c9513ca866a93db2f
              • Instruction Fuzzy Hash: BD8103B19053458FCB14CF69C9405AEBBF0AF45324B25426FD8A6AB3D1E7389807CB5A
              Function 00404270 Relevance: 15.2, APIs: 10, Instructions: 157COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32 ref: 004042D7
              • SetLastError.KERNEL32(004CC554,00000000,00000000,000000FF), ref: 0040433A
              • GetLastError.KERNEL32(?,?,000000FF,?,00000001,00000000), ref: 004043F5
              • SysFreeString.OLEAUT32(?), ref: 0040440F
              • SysFreeString.OLEAUT32(?), ref: 0040441C
              • SetLastError.KERNEL32(?), ref: 00404440
              • GetLastError.KERNEL32 ref: 00404453
              • SysFreeString.OLEAUT32(?), ref: 00404467
              • SysFreeString.OLEAUT32(?), ref: 00404474
              • SetLastError.KERNEL32(?), ref: 00404498
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeString
              • String ID:
              • API String ID: 2425351278-0
              • Opcode ID: e8e78b7cade6f3adcff17dbe4ac8de5f8b5d1ba4094a9ab6de607b48ccec240b
              • Instruction ID: 326331f4a04c3630241bc25187c8dd7ba5a51c03e006b35845ed912850392ce3
              • Opcode Fuzzy Hash: e8e78b7cade6f3adcff17dbe4ac8de5f8b5d1ba4094a9ab6de607b48ccec240b
              • Instruction Fuzzy Hash: 4B6157711083809FD310DF29C884B5BBBE4BF85318F104A2DF999972A1DB79E948CF96
              Function 00402DA0 Relevance: 15.1, APIs: 10, Instructions: 147COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32 ref: 00402E05
              • SetLastError.KERNEL32(004CC554,00000000,00000000,000000FF), ref: 00402E65
              • GetLastError.KERNEL32 ref: 00402E8E
              • SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00402EEE
              • GetLastError.KERNEL32 ref: 00402F0E
              • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00402F5A
              • GetLastError.KERNEL32 ref: 00402F69
              • SysFreeString.OLEAUT32(?), ref: 00402F83
              • SysFreeString.OLEAUT32(?), ref: 00402F90
              • SetLastError.KERNEL32(?), ref: 00402FB4
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeString
              • String ID:
              • API String ID: 2425351278-0
              • Opcode ID: a48cab3bdec811a15d6c580d1afc82b581bb57cd51a4a834ef63c4e0c1bfa066
              • Instruction ID: ce90cbda75ff8c433f37b613b50f39f85fd0525571352e22c20b18ec72eaec6e
              • Opcode Fuzzy Hash: a48cab3bdec811a15d6c580d1afc82b581bb57cd51a4a834ef63c4e0c1bfa066
              • Instruction Fuzzy Hash: BC5118715083409FD710DF29C944B0BBBF4FF89318F104A2EE999976A1D77AE905CB8A
              Function 0041E238 Relevance: 15.1, APIs: 10, Instructions: 138filethreadwindowCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0041E242
                • Part of subcall function 0041E4F3: lstrlenW.KERNEL32(?), ref: 0041E4FE
              • CopyFileW.KERNEL32(?,?,00000000,00000830,0042EE61,?,?), ref: 0041E25D
              • _memset.LIBCMT ref: 0041E27E
              • CreateThread.KERNEL32(00000000,00000000,0041E6C0,?,00000000,?), ref: 0041E311
              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,00000004), ref: 0041E33C
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E383
              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0041E398
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: MultipleObjectsWait$CopyCreateFileH_prolog3_MessagePeekThread_memsetlstrlen
              • String ID:
              • API String ID: 4111908098-0
              • Opcode ID: 2e0b85fb2a3ac0616b802db8e2994aff6bb6f59d7d163f8e8c5d6ac52ae33d11
              • Instruction ID: dbec85e79b6843c1f5d763276e55e030adde05e3ce7375d6ac7790f3353aac02
              • Opcode Fuzzy Hash: 2e0b85fb2a3ac0616b802db8e2994aff6bb6f59d7d163f8e8c5d6ac52ae33d11
              • Instruction Fuzzy Hash: D241D375900218ABD720AB668C45BEA73ACBF44714F0085BAFD5597281CE785E858F98
              Function 004490C7 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 226fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004490D1
                • Part of subcall function 0042B91E: __EH_prolog3_GS.LIBCMT ref: 0042B925
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
              • GetFileAttributesW.KERNEL32(?), ref: 004491D6
              • GetTempPathW.KERNEL32(00000104,00000000,?,00000104), ref: 0044923B
              • GetTempFileNameW.KERNEL32(?,IS_,00000000,00000000,?,00000104), ref: 00449290
              • GetModuleFileNameW.KERNEL32(?,00000104), ref: 004492B3
                • Part of subcall function 00415ADC: SysFreeString.OLEAUT32(00000000), ref: 00415AEB
                • Part of subcall function 0044D4F9: __EH_prolog3.LIBCMT ref: 0044D500
                • Part of subcall function 0044D4F9: CloseHandle.KERNEL32(?,00000008,0044F952,?,?,004CBE7C,?,?,00000000,00000000), ref: 0044D55D
              • DeleteFileW.KERNEL32(?), ref: 004493E7
                • Part of subcall function 00423A44: __EH_prolog3_GS.LIBCMT ref: 00423A4B
                • Part of subcall function 00423A44: LoadLibraryW.KERNEL32(?,?,00000001,0000006C,004348EF,?,00000000,?,00000000), ref: 00423A74
                • Part of subcall function 00423A44: GetLastError.KERNEL32 ref: 00423A8B
                • Part of subcall function 00423E3A: __EH_prolog3.LIBCMT ref: 00423E41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$File$FreeH_prolog3_String$H_prolog3NameTemp$AttributesCloseDeleteHandleLibraryLoadModulePath
              • String ID: ISSetup.dll$IS_
              • API String ID: 2103059120-269610055
              • Opcode ID: 362754b9e9b7ec8ce33c2f3678e5f185a79874d6f59de8b186745162ff6679f6
              • Instruction ID: 9ba6b5fe3dce23ee59b3dfafc61150272afa9469968249f5376f2ae6c72450c1
              • Opcode Fuzzy Hash: 362754b9e9b7ec8ce33c2f3678e5f185a79874d6f59de8b186745162ff6679f6
              • Instruction Fuzzy Hash: 7DA19C30905258DFDB25EB64CC98BDDB7B8AB19308F5001EEE009A31A1DB785F88DF55
              Function 0049B910 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 187windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0049BCB9: __EH_prolog3.LIBCMT ref: 0049BCC0
              • _memmove.LIBCMT ref: 0049BA7D
              • GetWindowDC.USER32(00000000), ref: 0049BA8D
              • CreateDIBitmap.GDI32(00000000,00000000,00000004,000000FF,00000000,00000000), ref: 0049BAA2
              • ReleaseDC.USER32(00000000,00000000), ref: 0049BAD3
              • _memset.LIBCMT ref: 0049BB06
              • _memmove.LIBCMT ref: 0049BB13
              • _memmove.LIBCMT ref: 0049BB27
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memmove$BitmapCreateH_prolog3ReleaseWindow_memset
              • String ID: (
              • API String ID: 3696145347-3887548279
              • Opcode ID: 296db0213babdee96a23004dc7c5bfd35cb1aa381a4e37a58ae7aa6daab8fcdb
              • Instruction ID: b6113b3728d24150d20a6a5bb78bc15c7f6e98c14d089240ac61687e6eda7aca
              • Opcode Fuzzy Hash: 296db0213babdee96a23004dc7c5bfd35cb1aa381a4e37a58ae7aa6daab8fcdb
              • Instruction Fuzzy Hash: 4A7128B1D002189FDB60DFA5D945B9EBBF4FF09304F10416AE809EB242EB75AA44CF94
              Function 004359CE Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 175COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004359D8
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 004457A9: __EH_prolog3_GS.LIBCMT ref: 004457B0
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeH_prolog3_String
              • String ID: Install does not use script$Install is basic with InstallScript custom actions$Install is script driven (ISMSI)$Install is script driven MSI 4.5 style embedded UI (ISMSI)$ScriptDriven$Startup$msiaction.cpp
              • API String ID: 2608676048-4080540832
              • Opcode ID: 08373d8bef42d0d274daa36892ecb0d0f02f877a33801f67aeaa7fdc1688189e
              • Instruction ID: 2a52b56eaba1aad1d2c053f081c75ffdf52180bf0ec5ccc377b27069e797e48f
              • Opcode Fuzzy Hash: 08373d8bef42d0d274daa36892ecb0d0f02f877a33801f67aeaa7fdc1688189e
              • Instruction Fuzzy Hash: 5A718570914258EEEB25D7A0CD55BEEB778BB14304F5401ABA145730D1DBB81F88CF58
              Function 0042E1AE Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155stringCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memset$H_prolog3lstrcpywsprintf
              • String ID: %s /g %s /g %s$%s /g %s /g %s /s
              • API String ID: 103519269-3131057161
              • Opcode ID: c03656f0f4d6e5887fe8509ce2791ffed74dc3fcd6a2f77fa7ed04c6f3ab9296
              • Instruction ID: fdcf9420ef54a748c9d71aa4477aaa3a3d9efc30dfc4393d52034616c22dd785
              • Opcode Fuzzy Hash: c03656f0f4d6e5887fe8509ce2791ffed74dc3fcd6a2f77fa7ed04c6f3ab9296
              • Instruction Fuzzy Hash: 2951B571A44258AFDB20DB65DC49FEB77BCEB04305F0000FBF406D7192DA389A988B59
              Function 0041E407 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 95stringCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: wsprintf$_memsetlstrlen
              • String ID: %s%s$ftp://$http://$https://
              • API String ID: 114250505-620530764
              • Opcode ID: 152a5f0789d35c8c94e791fda8dceba5a66bbd94d4f3661e9d3f5a9719e8c110
              • Instruction ID: 3a09a2fc93a0818acb6e4c67b5d2e9a3ecdd4ed045129364782dee7ce3440c6d
              • Opcode Fuzzy Hash: 152a5f0789d35c8c94e791fda8dceba5a66bbd94d4f3661e9d3f5a9719e8c110
              • Instruction Fuzzy Hash: E621A635A00605BADB10AFAADC469EF7778EF45710B10446BF901EB282EA7CD945C7BC
              Function 00469DC4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 80COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • UnDecorator::getArgumentList.LIBCMT ref: 00469DE7
                • Part of subcall function 00469CBA: Replicator::operator[].LIBCMT ref: 00469D36
                • Part of subcall function 00469CBA: DName::operator+=.LIBCMT ref: 00469D3E
              • DName::operator+.LIBCMT ref: 00469E42
              • DName::DName.LIBCMT ref: 00469E9A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
              • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
              • API String ID: 834187326-2211150622
              • Opcode ID: d2258500a3cb1ce202ce71a2f9ea2b255d059f9c1fe6c077ccd028db603b5843
              • Instruction ID: 4ff6b42569f8cab381955cf251acbb4222d502c4cc2fdd5cbb41472eb2be2e32
              • Opcode Fuzzy Hash: d2258500a3cb1ce202ce71a2f9ea2b255d059f9c1fe6c077ccd028db603b5843
              • Instruction Fuzzy Hash: 5C21FC386006059FCB05DF4CD491AB67BE8EB49B84F04C1AEE449CB3A2DB7ADD41CB49
              Function 00484C39 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56libraryloaderCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00484C43
              • GetModuleHandleW.KERNEL32(kernel32.dll,FindFirstFileW,00000254,0048386D), ref: 00484C5F
              • GetProcAddress.KERNEL32(00000000), ref: 00484C62
              • GetModuleHandleW.KERNEL32(kernel32.dll,FindFirstFileA), ref: 00484CA2
              • GetProcAddress.KERNEL32(00000000), ref: 00484CA5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc$H_prolog3_
              • String ID: FindFirstFileA$FindFirstFileW$kernel32.dll
              • API String ID: 762132516-163559883
              • Opcode ID: f7966ddeaa3d4ee6f2b0b28eb0ed7559bab2895a8ef890aa0948c5f275d6f833
              • Instruction ID: ab74c932c4f2786a2871153d5f88bc6ba362cb2b7585e6637a0c7269027ba11a
              • Opcode Fuzzy Hash: f7966ddeaa3d4ee6f2b0b28eb0ed7559bab2895a8ef890aa0948c5f275d6f833
              • Instruction Fuzzy Hash: 29110831901118ABCB10FBA4CC88BAE37686B84364F15475AB824A71C0D73C9E459B98
              Function 0046A0A4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 54COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • UnDecorator::UScore.LIBCMT ref: 0046A0AC
              • DName::DName.LIBCMT ref: 0046A0B6
                • Part of subcall function 004684D2: DName::doPchar.LIBCMT ref: 00468500
              • UnDecorator::getScopedName.LIBCMT ref: 0046A0F6
              • DName::operator+=.LIBCMT ref: 0046A100
              • DName::operator+=.LIBCMT ref: 0046A10F
              • DName::operator+=.LIBCMT ref: 0046A11B
              • DName::operator+=.LIBCMT ref: 0046A128
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
              • String ID: void
              • API String ID: 1480779885-3531332078
              • Opcode ID: ad10c0214122ebea5c6b5b13933552fee003438064d087cc293caa00c2bcd676
              • Instruction ID: 6bc5504f26f2a07100c29fbb805ea82dd8e69aec00849c63d72229cf8eaff702
              • Opcode Fuzzy Hash: ad10c0214122ebea5c6b5b13933552fee003438064d087cc293caa00c2bcd676
              • Instruction Fuzzy Hash: 061182745006089ACB04EF64C866AFD7B64EB05709F04429FE4416B2E2EF78AE95CA1F
              Function 0048B3E1 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 39libraryloaderCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0048B3E8
              • GetModuleHandleW.KERNEL32(kernel32.dll,SetFileAttributesW,00000000,0048373E,0000000A,00000000), ref: 0048B402
              • GetProcAddress.KERNEL32(00000000), ref: 0048B405
              • GetModuleHandleW.KERNEL32(kernel32.dll,SetFileAttributesA), ref: 0048B42C
              • GetProcAddress.KERNEL32(00000000), ref: 0048B42F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc$H_prolog3
              • String ID: SetFileAttributesA$SetFileAttributesW$kernel32.dll
              • API String ID: 1623054726-3589348009
              • Opcode ID: 95a829a783a6baeddbcd3557620d29e536e41271c3e339b5a6dfe55908a8bf85
              • Instruction ID: acb9633b4e41c4e01ecb2aafbc2f3540e6b9edcd103cd14535c0cbfcef48f17b
              • Opcode Fuzzy Hash: 95a829a783a6baeddbcd3557620d29e536e41271c3e339b5a6dfe55908a8bf85
              • Instruction Fuzzy Hash: E2F0FF30200604BBDB10BF75CC05E9E3B60AF84B84B52462AFC01A71A1CB3CD681CBAD
              Function 0048ADE4 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 37libraryloaderCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0048ADEB
              • GetModuleHandleW.KERNEL32(kernel32.dll,RemoveDirectoryW,00000000,00483C9B), ref: 0048AE05
              • GetProcAddress.KERNEL32(00000000), ref: 0048AE08
              • GetModuleHandleW.KERNEL32(kernel32.dll,RemoveDirectoryA), ref: 0048AE2C
              • GetProcAddress.KERNEL32(00000000), ref: 0048AE2F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc$H_prolog3
              • String ID: RemoveDirectoryA$RemoveDirectoryW$kernel32.dll
              • API String ID: 1623054726-1796459256
              • Opcode ID: 06b0ed93e21479c2a6d730c5a45ad44cdba7a1cad4e5a30e76b276e296d635d0
              • Instruction ID: 3a24de988b43490104fbd96b75354a8d46f030b63f453499884192a3758ecfd3
              • Opcode Fuzzy Hash: 06b0ed93e21479c2a6d730c5a45ad44cdba7a1cad4e5a30e76b276e296d635d0
              • Instruction Fuzzy Hash: 17F04630640600A7EB20BF758C44FAE3364AF84B44B524A2BF80097140CF7CD901CBAD
              Function 00485342 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 37libraryloaderCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00485349
              • GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesW,00000000,004837EC), ref: 00485363
              • GetProcAddress.KERNEL32(00000000), ref: 00485366
              • GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesA), ref: 0048538A
              • GetProcAddress.KERNEL32(00000000), ref: 0048538D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc$H_prolog3
              • String ID: GetFileAttributesA$GetFileAttributesW$kernel32.dll
              • API String ID: 1623054726-1399581607
              • Opcode ID: bfe7392a4c52fd85ec485d09418fdbdfe622f6f401ea2077e6415be3bcf3e69d
              • Instruction ID: f55b91033bff47282d0e15cd9a6152010985c04881dec43b1fa741abe359666d
              • Opcode Fuzzy Hash: bfe7392a4c52fd85ec485d09418fdbdfe622f6f401ea2077e6415be3bcf3e69d
              • Instruction Fuzzy Hash: CBF0C230600A04ABDB15BFB58C45E9E3664AF80B84B624B2AFC119B140CB7CD642CBAD
              Function 00483676 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 37libraryloaderCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0048367D
              • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteFileW,00000000,00483755,0000000A,00000000,00000000), ref: 00483697
              • GetProcAddress.KERNEL32(00000000), ref: 0048369A
              • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteFileA), ref: 004836BE
              • GetProcAddress.KERNEL32(00000000), ref: 004836C1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc$H_prolog3
              • String ID: DeleteFileA$DeleteFileW$kernel32.dll
              • API String ID: 1623054726-1437360270
              • Opcode ID: ecad37d9c573f900330b9e5bad9ac6b4e9117e3a91160c6ec76098e23d351983
              • Instruction ID: d8bc9bb64c8d552740b4cde049d9e2bd8c48e3064aab5d9793a13e98372b43b1
              • Opcode Fuzzy Hash: ecad37d9c573f900330b9e5bad9ac6b4e9117e3a91160c6ec76098e23d351983
              • Instruction Fuzzy Hash: 7BF0A431200604B7D721BF798C45E5E36646F80B55B61462AF801A7240DB3CE645CB9D
              Function 0043ECEB Relevance: 13.6, APIs: 9, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0043ECF5
              • GetDlgItemTextW.USER32(?,000003E8,?,00000064), ref: 0043ED44
              • GetDlgItem.USER32(?,00000001), ref: 0043ED51
                • Part of subcall function 0043EC37: wsprintfW.USER32 ref: 0043EC66
                • Part of subcall function 0043EC37: lstrcmpW.KERNEL32(?,?), ref: 0043EC7A
              • EnableWindow.USER32(00000000), ref: 0043ED74
              • EndDialog.USER32(?,00000002), ref: 0043ED7F
              • EndDialog.USER32(?,00000002), ref: 0043ED93
              • GetDlgItem.USER32(?,00000001), ref: 0043EDA9
              • SetWindowTextW.USER32(?,-00000004), ref: 0043EE26
              • EnableWindow.USER32(00000000,00000000), ref: 0043EE42
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ItemWindow$DialogEnableText$H_prolog3_lstrcmpwsprintf
              • String ID:
              • API String ID: 2161687695-0
              • Opcode ID: 309bea5ad96e63a8f9f72d35f883c7e5ff74e94d2be40405cc30faec6d79f102
              • Instruction ID: b920d9b9442edd052c5a9421da7904c355cb392b59a15ef4e55a036e8d33d344
              • Opcode Fuzzy Hash: 309bea5ad96e63a8f9f72d35f883c7e5ff74e94d2be40405cc30faec6d79f102
              • Instruction Fuzzy Hash: E6310975501205FBEB10AB61DC06FBE3768BF09705F000416F642AB2E1CB7C9955CB6D
              Function 0041D89A Relevance: 13.6, APIs: 9, Instructions: 82memoryCOMMON
              Download Yara Rule
              APIs
              • FindResourceW.KERNEL32(?,?,00000001,?,?,00000001,?,00420DFB,?,?,00000005,00000080,0042039F,00000402,?,004203B2), ref: 0041D8B0
              • LoadResource.KERNEL32(?,00000000,?,?,00000001,?,00420DFB,?,?,00000005,00000080,0042039F,00000402,?,004203B2,?), ref: 0041D8C0
              • SizeofResource.KERNEL32(?,00000000,?,?,00000001,?,00420DFB,?,?,00000005,00000080,0042039F,00000402,?,004203B2,?), ref: 0041D8D6
              • GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000001,?,00420DFB,?,?,00000005,00000080,0042039F,00000402,?,004203B2,?), ref: 0041D8E6
              • LockResource.KERNEL32(00000000,?,?,?,00000001,?,00420DFB,?,?,00000005,00000080,0042039F,00000402,?,004203B2,?), ref: 0041D8F6
              • _memmove.LIBCMT ref: 0041D8FF
              • __CxxThrowException@8.LIBCMT ref: 0041D912
              • GlobalLock.KERNEL32(00000000), ref: 0041D934
                • Part of subcall function 0041DD61: GlobalAlloc.KERNEL32(00000040,?,?,?,0041D94C,00000000,00000000,?,00000000,00000000,?,?,00000001,?,00420DFB,?), ref: 0041DD73
                • Part of subcall function 0041DD61: GlobalLock.KERNEL32(00000000), ref: 0041DD81
                • Part of subcall function 0041DD61: _memmove.LIBCMT ref: 0041DD90
                • Part of subcall function 0041DD61: GlobalUnlock.KERNEL32 ref: 0041DDA8
              • GlobalUnlock.KERNEL32(00000000), ref: 0041D94F
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Global$Resource$Lock$AllocUnlock_memmove$Exception@8FindLoadSizeofThrow
              • String ID:
              • API String ID: 3630157357-0
              • Opcode ID: e24fe6547007318343b69ee473b26fa431235dde553891b5c2e6609feef77aa8
              • Instruction ID: 2dfd06178e29037a36d962c2ec53e45e1c4ba30e14e742443724dd03956e9c9e
              • Opcode Fuzzy Hash: e24fe6547007318343b69ee473b26fa431235dde553891b5c2e6609feef77aa8
              • Instruction Fuzzy Hash: E92162B5600206BFDB112F65DC45AAB7FADEF44355F10853AFD09C1221DB79CC509668
              Function 00424E2F Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 386COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00424E39
                • Part of subcall function 00424C51: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000001,00000000,?,?,00000000,?,00424E5F,000000FF,?), ref: 00424C74
                • Part of subcall function 00424D13: GetFileSize.KERNEL32(?,00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424D2C
                • Part of subcall function 00424D13: GetProcessHeap.KERNEL32(00000008,00000001,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424D4D
                • Part of subcall function 00424D13: HeapAlloc.KERNEL32(00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424D54
                • Part of subcall function 00424D13: ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF), ref: 00424D72
                • Part of subcall function 00424D13: _strlen.LIBCMT ref: 00424D81
                • Part of subcall function 00424D13: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424DB6
                • Part of subcall function 00424D13: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,00424E99,000000FF,?,?,000000FF,?), ref: 00424DBD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Heap$File$Process$AllocCreateFreeH_prolog3_ReadSize_strlen
              • String ID: $ hK$4hK$8hK$<hK$@hK
              • API String ID: 3764712436-1896373571
              • Opcode ID: bda0441ac25595a3fa39e70e4bb71bdc3fe01a0d2b8d72d0b5b66360b9858a6e
              • Instruction ID: 530f06bbab37d45a8d0cd9d73388ff6d202a2d463e9865addbe568b8d3dfd29c
              • Opcode Fuzzy Hash: bda0441ac25595a3fa39e70e4bb71bdc3fe01a0d2b8d72d0b5b66360b9858a6e
              • Instruction Fuzzy Hash: 72F15D71D01268DEDB20DFA5CC85BDEBBB8AF55304F5441AEE009A7281DB781E88CF65
              Function 0041F213 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 287COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast_memsetwsprintf
              • String ID: Referer: %s$dwplayer
              • API String ID: 1359275013-1303060843
              • Opcode ID: c6d8e67311cedc11535b919281b539b58cc7e3ab1d6fd3c8035fc5348b833099
              • Instruction ID: 6fe0dc83d8a950fce98f71d6b510d7438fc282b6d6005714c114beb0dafcf531
              • Opcode Fuzzy Hash: c6d8e67311cedc11535b919281b539b58cc7e3ab1d6fd3c8035fc5348b833099
              • Instruction Fuzzy Hash: 1AC17F70A042989FDF20DF64C844BEDB7B5AF05344F1441EAE889A7291DBB85EC9CF54
              Function 0042A995 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0042A99F
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 00420177: __EH_prolog3_GS.LIBCMT ref: 0042017E
                • Part of subcall function 00420AA0: __EH_prolog3.LIBCMT ref: 00420AA7
                • Part of subcall function 00416398: __EH_prolog3_GS.LIBCMT ref: 004163A2
                • Part of subcall function 004202D0: __EH_prolog3_GS.LIBCMT ref: 004202D7
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 00411456: __EH_prolog3.LIBCMT ref: 0041145D
                • Part of subcall function 004873F9: __EH_prolog3_GS.LIBCMT ref: 00487403
                • Part of subcall function 004160CC: __EH_prolog3.LIBCMT ref: 004160D3
                • Part of subcall function 00416071: SysStringLen.OLEAUT32(?), ref: 0041607E
                • Part of subcall function 00416071: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00416098
              • VerLanguageNameW.KERNEL32(?,00000000,00000104,?,00000104,00000000), ref: 0042ACCD
                • Part of subcall function 00411BD3: __EH_prolog3_GS.LIBCMT ref: 00411BDA
                • Part of subcall function 00411BD3: GetLastError.KERNEL32(00000038,004212CA), ref: 00411BE1
                • Part of subcall function 00411BD3: SetLastError.KERNEL32(00000000), ref: 00411C37
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorH_prolog3_Last$H_prolog3String$Free$AllocLanguageName
              • String ID: $.ini$0x%04x$0x0409$Languages
              • API String ID: 688613020-2806253622
              • Opcode ID: 9a2d7c2eb29270d32e416074ecf3432361acf6adb390cfe136d67e39a3151ae5
              • Instruction ID: 98fc465cd682a880a97ec6723f4ef1f0f4add7fa01f98c9efd86665621a1343a
              • Opcode Fuzzy Hash: 9a2d7c2eb29270d32e416074ecf3432361acf6adb390cfe136d67e39a3151ae5
              • Instruction Fuzzy Hash: A1A1D470D0025CEADF10E7A5CC56BDEBBB4AF15304F4440DEE509A7182DB791B48DBA6
              Function 004253CE Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 170libraryloaderCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004253D8
              • GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 004253EA
              • GetModuleFileNameW.KERNEL32(00000000,00000400,?,00000400), ref: 00425455
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeLastString$AddressFileH_prolog3_ModuleNameProc
              • String ID: ProductCode$RunISMSISetup$Startup$setup.ini
              • API String ID: 585182573-3003089463
              • Opcode ID: ad8d794038a84f04c9f95a0792e44d192dd45ac295b65192bc7b98f876028a27
              • Instruction ID: 3298082512fbdb9db1ea98ee84c60639988d40d041ef81c440af5e4adcc7d080
              • Opcode Fuzzy Hash: ad8d794038a84f04c9f95a0792e44d192dd45ac295b65192bc7b98f876028a27
              • Instruction Fuzzy Hash: 3E719D30911158EECB11EBA4CD94BDEBBB4AF55308F1440EEE04A77192DB785F48DB64
              Function 00443627 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 117COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00443631
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 00419EA4: __EH_prolog3_GS.LIBCMT ref: 00419EAB
                • Part of subcall function 0043908D: __EH_prolog3.LIBCMT ref: 00439094
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeH_prolog3_String$H_prolog3
              • String ID: IS_MINOR_UPGRADE=1$ REINSTALL=ALL$ REINSTALLMODE=vomus$IS_MINOR_UPGRADE$REINSTALL$REINSTALLMODE
              • API String ID: 386487564-3166201577
              • Opcode ID: dd514e8c315072d2dbe7861136944bc000e1e19ebe9c215b5c2bdd28a959e6bb
              • Instruction ID: 3e7f03c4bb6d3f84155a48acc6abf7fa8438aa2c59860d1c5ef2eca4cdf193cb
              • Opcode Fuzzy Hash: dd514e8c315072d2dbe7861136944bc000e1e19ebe9c215b5c2bdd28a959e6bb
              • Instruction Fuzzy Hash: 9241F671A00108AADB14F7A4DC52BFD7278AF92728F20415EF115AB1D2DFBC1E49CB69
              Function 0047F698 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0047F69F
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
              • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0047F7D5
                • Part of subcall function 00442A6D: __EH_prolog3.LIBCMT ref: 00442A74
                • Part of subcall function 00442A6D: GetLastError.KERNEL32(00000004,004426A9,00000008,00448260,004BAB98,00000001,?,00000001), ref: 00442A8D
              • __CxxThrowException@8.LIBCMT ref: 0047F724
                • Part of subcall function 00454622: RaiseException.KERNEL32(?,?,00452D08,00000000,?,?,?,?,00452D08,00000000,004E40A8,?), ref: 00454673
              • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,00000078,00485E05,?,00000000,00000068,00434608,?,004F2F68,?,00000000,00000000,?), ref: 0047F6F7
                • Part of subcall function 00411BD3: __EH_prolog3_GS.LIBCMT ref: 00411BDA
                • Part of subcall function 00411BD3: GetLastError.KERNEL32(00000038,004212CA), ref: 00411BE1
                • Part of subcall function 00411BD3: SetLastError.KERNEL32(00000000), ref: 00411C37
              • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,00000078,00485E05,?,00000000,00000068,00434608,?,004F2F68,?,00000000,00000000,?), ref: 0047F768
                • Part of subcall function 00416071: SysStringLen.OLEAUT32(?), ref: 0041607E
                • Part of subcall function 00416071: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00416098
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$Directory$H_prolog3_StringWindows$AllocExceptionException@8H_prolog3RaiseSystemThrow
              • String ID: sysnative$syswow64
              • API String ID: 415710860-1057783856
              • Opcode ID: 0b1e4cad3c154b84eaadae97a888eadb044a392482acca6daaba42d434b1e710
              • Instruction ID: bfd0a7bfaf41c7dbb2eeb8113caa987c764fc2c4fdde848ef2299f6d46f20014
              • Opcode Fuzzy Hash: 0b1e4cad3c154b84eaadae97a888eadb044a392482acca6daaba42d434b1e710
              • Instruction Fuzzy Hash: A641C034904248DECB10EBE5C895BDDBBB4BF15308F64805FE546672A2DF785A0DCB2A
              Function 00404000 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(17703A82,?,?,00000000,?,?,?,?,?,?,004B3A10,000000FF,?,00403A23,?,?), ref: 00404051
              • SetLastError.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,004B3A10,000000FF,?,00403A23,?,?), ref: 00404081
              • GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,00000000,?,?,?,?,?,?,004B3A10,000000FF), ref: 004040D1
              • SysFreeString.OLEAUT32(?), ref: 004040ED
              • SysFreeString.OLEAUT32(?), ref: 004040F8
              • SetLastError.KERNEL32(?), ref: 00404118
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeString
              • String ID: #:@
              • API String ID: 2425351278-2520759874
              • Opcode ID: 8e7d57210b8eb68f13a9cb5594db8557d2fe37f55ee7bfe1f43f4cefd913b802
              • Instruction ID: aa544c82b2e9f50d1223fad72f384b7d306d5206e462c55c5db97e01d95447f7
              • Opcode Fuzzy Hash: 8e7d57210b8eb68f13a9cb5594db8557d2fe37f55ee7bfe1f43f4cefd913b802
              • Instruction Fuzzy Hash: 11415BB1900609EFDB00CFA5C944B9EBBF4FF08318F14812AE919A7751DB79A915CF98
              Function 0047F829 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 85libraryloaderCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0047F833
              • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 0047F856
              • GetProcAddress.KERNEL32(00000000,GetSystemWindowsDirectoryW), ref: 0047F86A
                • Part of subcall function 00411357: __EH_prolog3.LIBCMT ref: 0041135E
                • Part of subcall function 00411357: GetLastError.KERNEL32(00000004,00411629,00000000,?,00000000,00000004,0041643B,-00000004,?,00000001,?,00000000), ref: 00411380
                • Part of subcall function 00411357: SetLastError.KERNEL32(?,00000000,?), ref: 004113C1
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0047F8EE
              • __CxxThrowException@8.LIBCMT ref: 0047F90F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$H_prolog3$AddressDirectoryException@8H_prolog3_HandleModuleProcThrowWindows
              • String ID: GetSystemWindowsDirectoryW$KERNEL32.DLL
              • API String ID: 4209068821-1259663462
              • Opcode ID: 882d97fe7f6aaa6bd269e441c3abce5e4e314d51b75e35a02a85693b12eb22b0
              • Instruction ID: 536cbc0d82e91ac02fde253f88b1463b59b49093749872716deb692059aaf66a
              • Opcode Fuzzy Hash: 882d97fe7f6aaa6bd269e441c3abce5e4e314d51b75e35a02a85693b12eb22b0
              • Instruction Fuzzy Hash: 0D3154709142189BDB60EF61CC99FDDB2B8AF54704F1045ABA519A2251DB7C9A88CF28
              Function 00489610 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 82libraryloaderCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0048961A
              • GetModuleHandleW.KERNEL32(Ntdll.dll,NtQueryInformationProcess,?,00000400,?,000004A0,004895FE,00000000,?,0000006C,0048BECB,004881FF,?,?), ref: 0048964A
              • GetProcAddress.KERNEL32(00000000), ref: 00489651
              • OpenProcess.KERNEL32(00000400,00000000,?,?,0000006C,0048BECB,004881FF,?,?), ref: 0048967D
              • _memset.LIBCMT ref: 004896A2
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeLastString$AddressH_prolog3_HandleModuleOpenProcProcess_memset
              • String ID: NtQueryInformationProcess$Ntdll.dll
              • API String ID: 954382961-801751246
              • Opcode ID: cb8402bb6fc0bb3830ad432ba9d952d7e06c6edcfa4d0af1636a522112c88bfd
              • Instruction ID: 30e789e6b63bda6ef780b9068c2b403004708c2c14f134890bbd0645f429556b
              • Opcode Fuzzy Hash: cb8402bb6fc0bb3830ad432ba9d952d7e06c6edcfa4d0af1636a522112c88bfd
              • Instruction Fuzzy Hash: 213172B19002289BDF20EB60CC45BDD7778AF44704F0444EAA709A7182DB785F88CF5D
              Function 004375B5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004375BF
              • _memset.LIBCMT ref: 004375E2
                • Part of subcall function 004019E0: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00401A08
                • Part of subcall function 00444B3B: __EH_prolog3.LIBCMT ref: 00444B42
              • lstrcpyW.KERNEL32(?,-00000004,?), ref: 00437648
              • lstrcatW.KERNEL32(?," /%), ref: 0043766F
              • _wcschr.LIBCMT ref: 0043767A
              • lstrcatW.KERNEL32(?,00000000), ref: 0043768D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: lstrcat$H_prolog3H_prolog3_QueryValue_memset_wcschrlstrcpy
              • String ID: " /%
              • API String ID: 2854241388-1244271203
              • Opcode ID: bc5f6d91860405a63485aec569a673842c3521f1d9b5781eaffdc2f134457a1b
              • Instruction ID: e8c1cff05820fde3469a26c4f7e52c18b49ef91aad8d40502e2bddd46ab63e7c
              • Opcode Fuzzy Hash: bc5f6d91860405a63485aec569a673842c3521f1d9b5781eaffdc2f134457a1b
              • Instruction Fuzzy Hash: B42165B1A1021C6ADB10EB65CC55BAE73ECBF48714F0441ABB545E7181DF38DA44CB98
              Function 00489B41 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73libraryregistryloaderCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00489B48
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
                • Part of subcall function 0048B489: __EH_prolog3.LIBCMT ref: 0048B490
              • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00489BB8
              • GetLastError.KERNEL32 ref: 00489BC9
              • RegOverridePredefKey.ADVAPI32(80000000,00000000), ref: 00489C1C
                • Part of subcall function 0048A8B4: GetVersionExW.KERNEL32(?), ref: 0048A8D8
                • Part of subcall function 00480EFC: RegOverridePredefKey.ADVAPI32(80000000,?), ref: 00480F34
              • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00489BE4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorH_prolog3Last$OverridePredef$AddressLibraryLoadProcVersion
              • String ID: DllRegisterServer$DllUnregisterServer
              • API String ID: 916470829-2931954178
              • Opcode ID: 1fb44a4d3caa0564cff1baa18d2d7b62b7b6776b83cb8f3c4ae57ee22ff7fc05
              • Instruction ID: 532b64043611591d32050e9a5a43e0e2342034f936c2dab8c5a826b1cc302225
              • Opcode Fuzzy Hash: 1fb44a4d3caa0564cff1baa18d2d7b62b7b6776b83cb8f3c4ae57ee22ff7fc05
              • Instruction Fuzzy Hash: 06213570500244AEEF00FFB4C855BBE3BA4AF40308F48886EE8459B242D77D9A49C759
              Function 00451876 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58stringCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 004518B0
              • CharNextW.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}), ref: 004518B9
              • lstrcpyW.KERNEL32(?,00000000,?,?,C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}), ref: 004518CD
              • CharNextW.USER32(00000000,?,?,C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}), ref: 004518E2
              • CharPrevW.USER32(00000000,00000000,?,?,C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}), ref: 004518FB
              • lstrcpyW.KERNEL32(?,00000000,?,?,C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}), ref: 00451916
              Strings
              • C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}, xrefs: 00451889
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Char$Nextlstrcpy$Prev_memset
              • String ID: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}
              • API String ID: 3355883774-255431040
              • Opcode ID: 165fcfd99b931ea27eaa5dde69d43e3d16a672b423465f232e5bdeb015fc3b59
              • Instruction ID: d811ab5b5e40556441d866eed5629ee52254d1624175af633b308d771aee7313
              • Opcode Fuzzy Hash: 165fcfd99b931ea27eaa5dde69d43e3d16a672b423465f232e5bdeb015fc3b59
              • Instruction Fuzzy Hash: 4C1194B6940118ABCB11ABA4DC05A9B73FCFF44305F0590A7EA45D7151DA786E88CBE8
              Function 00484DC3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(kernel32.dll,FindNextFileW,00000000,00000000), ref: 00484DE8
              • GetProcAddress.KERNEL32(00000000), ref: 00484DEF
              • GetModuleHandleW.KERNEL32(kernel32.dll,FindNextFileA), ref: 00484E25
              • GetProcAddress.KERNEL32(00000000), ref: 00484E2C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: FindNextFileA$FindNextFileW$kernel32.dll
              • API String ID: 1646373207-719559652
              • Opcode ID: 6d49263d9e6d008510e777cc1dd3ed607fc5ae29c46ccfd9c81a9b860f915f95
              • Instruction ID: 7b059594d46f13e84938a0671cd8a53454519a8ad1037c84e2442b25f1ef1675
              • Opcode Fuzzy Hash: 6d49263d9e6d008510e777cc1dd3ed607fc5ae29c46ccfd9c81a9b860f915f95
              • Instruction Fuzzy Hash: DA11E531A00615AB9B11FBB88C85EBE73F86F88B01B05016AB815E3240DB3C9E058B6C
              Function 004863C9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52libraryloadertimeCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId,00000000,004881FF,?,00485C86,00000000,?,?,?,?,?,0000006C,0048BECB,004881FF,?), ref: 004863EA
              • GetProcAddress.KERNEL32(00000000), ref: 004863F1
              • OpenProcess.KERNEL32(001FFFFF,00000001,?,00000000,00000000,004881FF,?,00485C86,00000000,?,?,?,?,?,0000006C,0048BECB), ref: 00486411
              • GetProcessTimes.KERNEL32(004881FF,0048BECB,0000006C,?,?,00000000,00000000,004881FF,?,00485C86,00000000,?,?,?,?,?), ref: 0048642A
              • CloseHandle.KERNEL32(004881FF,?,00485C86,00000000,?,?,?,?,?,0000006C,0048BECB,004881FF,?,?), ref: 00486437
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: HandleProcess$AddressCloseModuleOpenProcTimes
              • String ID: GetProcessId$kernel32.dll
              • API String ID: 4254294609-399901964
              • Opcode ID: 0ef9760eebf54edbf52b6cdfe251e592aa0452f54e40bfd7dfdbb41d1d3a2cb7
              • Instruction ID: 0b412e794f4f5f7d48e382766fcc1e50fa60fbf03ff20cb19f126b3e0d3479cf
              • Opcode Fuzzy Hash: 0ef9760eebf54edbf52b6cdfe251e592aa0452f54e40bfd7dfdbb41d1d3a2cb7
              • Instruction Fuzzy Hash: F501F7332416256B5B522FA45C44DAF7769EF85FA471B4526FD00D3310CB39CC1247AD
              Function 004834B3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileW,?,00000000,?,00448604,?,?,00000000,?,004BABA0,?,?,?,00000000,00484A59), ref: 004834C9
              • GetProcAddress.KERNEL32(00000000), ref: 004834CC
              • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileA,?,00000000,?,00448604,?,?,00000000,?,004BABA0,?,?,?,00000000,00484A59), ref: 00483501
              • GetProcAddress.KERNEL32(00000000), ref: 00483504
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: CreateFileA$CreateFileW$kernel32.dll
              • API String ID: 1646373207-3217398002
              • Opcode ID: 905998600f114c23a31b2873db792880feaa7f1beb1953fdc99ab4ff111dacee
              • Instruction ID: d4b091ed77c9d19767285b6504858dc918449eaee644516819f823f29ed44504
              • Opcode Fuzzy Hash: 905998600f114c23a31b2873db792880feaa7f1beb1953fdc99ab4ff111dacee
              • Instruction Fuzzy Hash: 60019232500609BFDF025FA4DC44CAE3F2AFF08755B04461AFE1556160C73AD921DBA8
              Function 004532DC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004532EE
              • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 004532FE
              • EncodePointer.KERNEL32(00000000), ref: 00453307
              • DecodePointer.KERNEL32(00000000), ref: 00453315
              • LCMapStringW.KERNEL32(00000000,?,?,?,?,?), ref: 00453359
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeHandleModuleProcString
              • String ID: LCMapStringEx$kernel32.dll
              • API String ID: 405835482-327329431
              • Opcode ID: 6c36dbe2b9d3688503e3beb342cc5b6ac28d7df4c3c9de989a2433768ccb7b51
              • Instruction ID: bcef61f5e8a7d986d11e007afbba0baf0cc24d9c667828b43b9a483567a65149
              • Opcode Fuzzy Hash: 6c36dbe2b9d3688503e3beb342cc5b6ac28d7df4c3c9de989a2433768ccb7b51
              • Instruction Fuzzy Hash: 2001E936500209FBCF021FA5DC08DEE7F69BF08792B054121FE14A5121CB3AD971AFA8
              Function 00453278 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 36libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0045328A
              • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0045329A
              • EncodePointer.KERNEL32(00000000), ref: 004532A3
              • DecodePointer.KERNEL32(00000000), ref: 004532B1
              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 004532D0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Pointer$AddressCountCriticalDecodeEncodeHandleInitializeModuleProcSectionSpin
              • String ID: InitializeCriticalSectionEx$kernel32.dll
              • API String ID: 131412094-2762503851
              • Opcode ID: 423fca615618a3dbe98238526714620b07ef09aa868c67a90563606b9f90aae6
              • Instruction ID: 7cfb3c0408d08770bcc61c472cefe4e171bf7ac3fbf85c143961d24661326c2f
              • Opcode Fuzzy Hash: 423fca615618a3dbe98238526714620b07ef09aa868c67a90563606b9f90aae6
              • Instruction Fuzzy Hash: 85F0303A500615BB9B015FB49C08A6A3BA8BB08B93B054271FD06E5221D739DA159BAC
              Function 00420EED Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 27COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_
              • String ID: Wiz$Inst$allS$ard$d$hiel
              • API String ID: 2427045233-3898594558
              • Opcode ID: 1292d053f5f8bbd179a11c5b2caa1d4d229d41a26b9e141e232fe986f8a02d88
              • Instruction ID: 4a4ca5d09056a61527bb5e36f91f887f3cd9725fc107fcec5c19b179a6c6b38a
              • Opcode Fuzzy Hash: 1292d053f5f8bbd179a11c5b2caa1d4d229d41a26b9e141e232fe986f8a02d88
              • Instruction Fuzzy Hash: CCF0F9B19012589ACF01DFD6D5816CEBBB5BF09714F90501EE644BB341C7B85A48CB99
              Function 00493C5B Relevance: 12.2, APIs: 8, Instructions: 163COMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(00000003,00000000,00000002,00000000,00000003,00000000,00000000,00000000), ref: 00493CB4
              • GetTickCount.KERNEL32 ref: 00493CBC
              • ResetEvent.KERNEL32(?), ref: 00493CCC
              • QueryPerformanceCounter.KERNEL32(?), ref: 00493D1F
              • GetTickCount.KERNEL32 ref: 00493D2D
              • __alldvrm.LIBCMT ref: 00493D9A
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00493DB1
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00493DD6
                • Part of subcall function 00493FF7: GetTickCount.KERNEL32 ref: 00494006
                • Part of subcall function 00493FF7: GetTickCount.KERNEL32 ref: 0049402F
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CountTick$CounterPerformanceQueryUnothrow_t@std@@@__ehfuncinfo$??2@$EventReset__alldvrm
              • String ID:
              • API String ID: 3317835756-0
              • Opcode ID: 3335d6cd2088337851429d36eda5a93b7fea6f49606c5ac27481a1135d166a67
              • Instruction ID: 52e2ba73fe71ea326c0c98a116578514b8966b996eac55f977888d61bc903c5c
              • Opcode Fuzzy Hash: 3335d6cd2088337851429d36eda5a93b7fea6f49606c5ac27481a1135d166a67
              • Instruction Fuzzy Hash: 85518B71A007049FDF24DFA5C885BABBBF9FB4531AF00893EE44696240D778A945CB14
              Function 0043086B Relevance: 12.2, APIs: 8, Instructions: 150fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 004308C0
              • GetLastError.KERNEL32 ref: 004308D3
              • __CxxThrowException@8.LIBCMT ref: 00430914
              • _memmove.LIBCMT ref: 0043097A
              • WriteFile.KERNEL32(00000000,00000000,00002800,?,00000000,?,?,00000000,00002800), ref: 004309A9
              • GetLastError.KERNEL32 ref: 004309B3
              • GetLastError.KERNEL32 ref: 004309EF
              • CloseHandle.KERNEL32(00000000,?,?,00000000,00002800), ref: 00430A8E
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$File$CloseCreateException@8HandleThrowWrite_memmove
              • String ID:
              • API String ID: 2788177597-0
              • Opcode ID: 2d5d262f0c802e0d6c8b374f413fb4c5b58808ef7817d6ae3eccadb7f12b7b2f
              • Instruction ID: 013ca025ad6a2f81c27271a089f56c0c822bece4f7c7c8cbdb043d3de0bba3c0
              • Opcode Fuzzy Hash: 2d5d262f0c802e0d6c8b374f413fb4c5b58808ef7817d6ae3eccadb7f12b7b2f
              • Instruction Fuzzy Hash: 8C51EB70A01314AFEB25DB65DCA5BAFB7FCAF08354F1042ABE915D2181D7789F448B18
              Function 004203B2 Relevance: 12.1, APIs: 8, Instructions: 106COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004203B9
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
              • EndDialog.USER32(?,00000001), ref: 00420415
              • SetWindowTextW.USER32(?,-00000004), ref: 0042045B
              • GetDlgItem.USER32(?,00000001), ref: 00420499
              • GetDlgItem.USER32(?,00000066), ref: 004204A1
              • ShowWindow.USER32(?,00000000), ref: 004204B7
              • ShowWindow.USER32(00000000,00000000), ref: 004204CD
              • DeleteObject.GDI32 ref: 004204F0
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Window$ErrorItemLastShow$DeleteDialogH_prolog3_ObjectText
              • String ID:
              • API String ID: 276247898-0
              • Opcode ID: c781d4adb8b4766be2552872f6ffb5ab5189e02709c4ee950b9376ca79b6a469
              • Instruction ID: e855e909d6a00c92141fd21a89804ece98b72b80297a5541b24a9caebbc91ab1
              • Opcode Fuzzy Hash: c781d4adb8b4766be2552872f6ffb5ab5189e02709c4ee950b9376ca79b6a469
              • Instruction Fuzzy Hash: 1B31C370500214EBDB10AFA5EC85AAE7BB4FB14709F54817FF501AB1A3DB385D04CB68
              Function 004063B0 Relevance: 12.1, APIs: 8, Instructions: 106COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32 ref: 0040640F
              • SetLastError.KERNEL32(004CC554), ref: 00406443
                • Part of subcall function 00407010: MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,17703A82,74DEE010,004CBCD0,?), ref: 004070A0
                • Part of subcall function 00407010: MultiByteToWideChar.KERNEL32(?,00000000,?), ref: 004070DA
              • GetLastError.KERNEL32 ref: 00406472
              • SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 004064BE
              • GetLastError.KERNEL32 ref: 004064D1
              • SysFreeString.OLEAUT32(?), ref: 004064EB
              • SysFreeString.OLEAUT32(?), ref: 004064F8
              • SetLastError.KERNEL32(?), ref: 0040651C
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$ByteCharFreeMultiStringWide
              • String ID:
              • API String ID: 2284902721-0
              • Opcode ID: b2c0f429e63ba0bba9db86624cd1d236ff5bcdd51a5e42050a1829969b3e5264
              • Instruction ID: 80501ee5a205608421065971ebcd29191669c672463233f6d8240e3d0ebb5f7a
              • Opcode Fuzzy Hash: b2c0f429e63ba0bba9db86624cd1d236ff5bcdd51a5e42050a1829969b3e5264
              • Instruction Fuzzy Hash: C541E8B55083409FC740DF29C884B4ABBE4FF89318F114A6EF8598B2A1D779E905CF96
              Function 00440E1C Relevance: 12.1, APIs: 8, Instructions: 99libraryCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch_GS.LIBCMT ref: 00440E26
              • LoadLibraryExW.KERNEL32(?,00000000,00000060,00000424), ref: 00440E65
              • LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 00440E7B
              • FindResourceW.KERNEL32(00000000,?,?), ref: 00440EA6
              • LoadResource.KERNEL32(00000000,00000000), ref: 00440EBE
              • SizeofResource.KERNEL32(00000000,00000000), ref: 00440ED0
                • Part of subcall function 00440317: GetLastError.KERNEL32 ref: 00440317
              • FreeLibrary.KERNEL32(00000000), ref: 00440F74
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: LibraryLoadResource$ErrorFindFreeH_prolog3_catch_LastSizeof
              • String ID:
              • API String ID: 1818814483-0
              • Opcode ID: 29bbe60aacccb53bccb64c7a5d8065740bee3c8e6e9b4134b8c029a24d45bf66
              • Instruction ID: ea6532665c2a23f71f611a5f5f8405adf055d15aef5e3356f91a99270090ed3e
              • Opcode Fuzzy Hash: 29bbe60aacccb53bccb64c7a5d8065740bee3c8e6e9b4134b8c029a24d45bf66
              • Instruction Fuzzy Hash: BD4186B49002199BDB31DF258C44B9EBAB5AF48314F5181EEFA09A3241DB384E95CF9D
              Function 0044C861 Relevance: 12.1, APIs: 8, Instructions: 90COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0044C868
                • Part of subcall function 00411456: __EH_prolog3.LIBCMT ref: 0041145D
                • Part of subcall function 0048376D: __EH_prolog3_GS.LIBCMT ref: 00483777
              • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00000010), ref: 0044C8BE
              • GetDC.USER32(00000000), ref: 0044C8EF
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0044C900
              • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0044C907
              • ReleaseDC.USER32(00000000,00000000), ref: 0044C90F
              • CreateDialogParamW.USER32(?,0000006C,00000000,Function_0004C96B,00000000), ref: 0044C93B
              • SetForegroundWindow.USER32(00000000), ref: 0044C945
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CapsDeviceH_prolog3$CreateDialogForegroundH_prolog3_ImageLoadParamReleaseWindow
              • String ID:
              • API String ID: 2034763720-0
              • Opcode ID: 00938c34cab5c49c2dde17825d02173ec8f50e7e7841da89a911da3b58239919
              • Instruction ID: be3bc18ed093cbe3f1f4c88554edcc17f47b6cb54390275e8ca9820c5293492a
              • Opcode Fuzzy Hash: 00938c34cab5c49c2dde17825d02173ec8f50e7e7841da89a911da3b58239919
              • Instruction Fuzzy Hash: E931C2B1900209FFEB10AF65CC85AAE7BE8FB04795F01452AF854AB2A1D778DD04CB58
              Function 0040FCA6 Relevance: 12.1, APIs: 8, Instructions: 75fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0040FCB0
              • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000,00000148,0044D990,000000FF,00000000,?,?,?), ref: 0040FCD4
              • GetFileSize.KERNEL32(00000000,00000000,?,?,00000084,0044EC35,?,?,?,?,?,?), ref: 0040FCE7
              • CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000,?,?,00000084,0044EC35,?,?,?,?,?,?), ref: 0040FCFA
              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?,?,00000084,0044EC35,?,?,?,?,?,?), ref: 0040FD10
              • CloseHandle.KERNEL32(00000000,?,?,00000084,0044EC35,?,?,?,?,?,?), ref: 0040FD92
                • Part of subcall function 00404000: GetLastError.KERNEL32(17703A82,?,?,00000000,?,?,?,?,?,?,004B3A10,000000FF,?,00403A23,?,?), ref: 00404051
                • Part of subcall function 00404000: SetLastError.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,004B3A10,000000FF,?,00403A23,?,?), ref: 00404081
                • Part of subcall function 00404000: GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,00000000,?,?,?,?,?,?,004B3A10,000000FF), ref: 004040D1
                • Part of subcall function 00404000: SysFreeString.OLEAUT32(?), ref: 004040ED
                • Part of subcall function 00404000: SysFreeString.OLEAUT32(?), ref: 004040F8
                • Part of subcall function 00404000: SetLastError.KERNEL32(?), ref: 00404118
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
              • UnmapViewOfFile.KERNEL32(?), ref: 0040FD8B
              • CloseHandle.KERNEL32(00000000,?,?,00000084,0044EC35,?,?,?,?,?,?), ref: 0040FD99
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$File$FreeString$CloseCreateHandleView$H_prolog3_MappingSizeUnmap
              • String ID:
              • API String ID: 3937577892-0
              • Opcode ID: ae05105fc88aff5daf41ca6c83ed8d1166a53d5941ce6f61cc65ef1ceae183db
              • Instruction ID: 426fafa17e276e66353a9f1ece002a521feffa26677dc52fcf0cfaa0998f587a
              • Opcode Fuzzy Hash: ae05105fc88aff5daf41ca6c83ed8d1166a53d5941ce6f61cc65ef1ceae183db
              • Instruction Fuzzy Hash: CA218171901224ABCB309BA18C49FDF7FB9EF45754F0401B9FA09A62A1DA784A44CB54
              Function 004355C4 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 294COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_wsprintf
              • String ID: 1033$Startup$UseDotNetUI
              • API String ID: 1814582032-2843573423
              • Opcode ID: c84badb333d9ff0381669cf7742d199f211ff1267b8c547bf222b490de792fd4
              • Instruction ID: 4dcb3b8b48be2487a4e575ca81f2046e11b794e4804c4e6d234ee39572e1c84f
              • Opcode Fuzzy Hash: c84badb333d9ff0381669cf7742d199f211ff1267b8c547bf222b490de792fd4
              • Instruction Fuzzy Hash: 65C16C70A00218DFDB24DF68C985BDDB7B4BF49314F1041EAE549AB292DB389E84CF55
              Function 0044F958 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 270COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044F962
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 004457A9: __EH_prolog3_GS.LIBCMT ref: 004457B0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorH_prolog3_Last
              • String ID: BuildNo$MajorVer$MinorVer$MinorVerMax$PlatformId
              • API String ID: 1018228973-1900021638
              • Opcode ID: 8a944da43e2f0f5cc5eebc6aa4c4b7c9d83dc88f3114fa2ded81b0bfa17694c3
              • Instruction ID: d6c21b643c42a7ed8ff2821b76b37d553737faae1816bc9de2b4213a58a1e648
              • Opcode Fuzzy Hash: 8a944da43e2f0f5cc5eebc6aa4c4b7c9d83dc88f3114fa2ded81b0bfa17694c3
              • Instruction Fuzzy Hash: AFB16C71E9021AEAEB25DF64CD91BEDB3B4AF04308F1001FAA519A61C1DB785F84CF54
              Function 00486A0B Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 219fileCOMMON
              Download Yara Rule
              APIs
              • GetTempFileNameW.KERNEL32(?,_is,00000000,00000000,?,00000104), ref: 00486B76
              • GetTempPathW.KERNEL32(00000104,00000000,?,00000104), ref: 00486A58
                • Part of subcall function 00411BD3: __EH_prolog3_GS.LIBCMT ref: 00411BDA
                • Part of subcall function 00411BD3: GetLastError.KERNEL32(00000038,004212CA), ref: 00411BE1
                • Part of subcall function 00411BD3: SetLastError.KERNEL32(00000000), ref: 00411C37
              • __EH_prolog3_GS.LIBCMT ref: 00486A15
                • Part of subcall function 004160CC: __EH_prolog3.LIBCMT ref: 004160D3
                • Part of subcall function 00416071: SysStringLen.OLEAUT32(?), ref: 0041607E
                • Part of subcall function 00416071: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00416098
              • DeleteFileW.KERNEL32(?), ref: 00486B9B
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
                • Part of subcall function 00488CC7: __EH_prolog3.LIBCMT ref: 00488CCE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$H_prolog3$FileH_prolog3_StringTemp$AllocDeleteNamePath
              • String ID: .tmp$_is
              • API String ID: 2274788794-3921807090
              • Opcode ID: 313424c5c3f4867dacefdb80829b2bd5d47fdb3d96664ffd590b8a7a040ff869
              • Instruction ID: 8780dd6f7474db40727e567d85fe6aa3ec7265c0da6e9a199b57384bb5750e14
              • Opcode Fuzzy Hash: 313424c5c3f4867dacefdb80829b2bd5d47fdb3d96664ffd590b8a7a040ff869
              • Instruction Fuzzy Hash: 1991A170900248DFDB45FBA5CC91FDE77B8AF14308F50009EE94963192EB795B89CB69
              Function 00443981 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 197COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044398B
                • Part of subcall function 00446C3F: __EH_prolog3_GS.LIBCMT ref: 00446C49
                • Part of subcall function 00446FFC: __EH_prolog3_GS.LIBCMT ref: 00447006
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_
              • String ID: %s=%s$Dumping setup.ini...$Password$Section: %s$session.cpp
              • API String ID: 2427045233-142721329
              • Opcode ID: afbffacef2f7c1151a9b947c4da3f6fcafca192300f4376f1de3ebf69bbe3fb6
              • Instruction ID: 6fc3a7316647c2dfb44eeb44e92747ebea53e6b49720628a34cd1f38ecb001b7
              • Opcode Fuzzy Hash: afbffacef2f7c1151a9b947c4da3f6fcafca192300f4376f1de3ebf69bbe3fb6
              • Instruction Fuzzy Hash: 04818D70900258DAEB24EF61CD95BEDB7B4AF10308F5041AEE109A7192DB785F88CB69
              Function 0044FD4D Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044FD54
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 004457A9: __EH_prolog3_GS.LIBCMT ref: 004457B0
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                • Part of subcall function 00419EA4: __EH_prolog3_GS.LIBCMT ref: 00419EAB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$H_prolog3_$FreeString
              • String ID: 1.20.1827.0$CSDVersion$MajorVer$ServicePack$System\CurrentControlSet\Control\Windows
              • API String ID: 1274762985-3305444093
              • Opcode ID: 7df61e5b7ff73c22a8244a2e08a80fae4a5ceb701a7df8dd8f218d36de15fb80
              • Instruction ID: b99c9add683ffe84e11d31467f0a5a829bd7ebc8b7f5c046aa3369edd78edbd4
              • Opcode Fuzzy Hash: 7df61e5b7ff73c22a8244a2e08a80fae4a5ceb701a7df8dd8f218d36de15fb80
              • Instruction Fuzzy Hash: 3E516D31D10218EBEB20DBA1CD92BEDB7B8BF14354F60416EE502B71D2DB785A09CB55
              Function 00421849 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 137COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch_GS.LIBCMT ref: 00421853
              • _memset.LIBCMT ref: 0042186F
              • _memset.LIBCMT ref: 0042187C
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
              • _wcscpy.LIBCMT ref: 004218CB
              • _memset.LIBCMT ref: 004218FF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memset$ErrorLast$H_prolog3_catch__wcscpy
              • String ID: ,
              • API String ID: 2195959318-3772416878
              • Opcode ID: f0d4e8583f9910ee848eab34ceb4909583664e445c9251091d7d13151fe8a7d3
              • Instruction ID: 2037a1797bbe1a3986c15aff130f65db2e30f719d3a2af29a78ba115e99402cd
              • Opcode Fuzzy Hash: f0d4e8583f9910ee848eab34ceb4909583664e445c9251091d7d13151fe8a7d3
              • Instruction Fuzzy Hash: ED51A3B1E01258AEEF10DFA5CD06BEDBAB8AF14314F10416EE409E72D2D7B84E44CB58
              Function 0042E688 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 131COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0042E68F
                • Part of subcall function 00417FB3: __EH_prolog3_GS.LIBCMT ref: 00417FBA
                • Part of subcall function 00420177: __EH_prolog3_GS.LIBCMT ref: 0042017E
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$ErrorFreeLastString
              • String ID: TRANSFORMS="$.mst$.mst"$TRANSFORMS=$TRANSFORMS="
              • API String ID: 2278686355-3238450747
              • Opcode ID: f31ecebdb401ead476d3e0f09a3390954f5630f0b4833228827a7e732f687c58
              • Instruction ID: 324e62e7907d62e4614a11c536ccc146cc90d764fecdca37c6e2b1c53d1b93a1
              • Opcode Fuzzy Hash: f31ecebdb401ead476d3e0f09a3390954f5630f0b4833228827a7e732f687c58
              • Instruction Fuzzy Hash: E7412331A04214AADF10B6B59C46BEDB7799F92328F34421FF521672C3CA7C1E49872C
              Function 00421439 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch_GS.LIBCMT ref: 00421443
              • _memset.LIBCMT ref: 00421466
              • _memset.LIBCMT ref: 00421474
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
              • _wcscpy.LIBCMT ref: 004214BF
              • _memset.LIBCMT ref: 004214FF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memset$ErrorLast$H_prolog3_catch__wcscpy
              • String ID: ,
              • API String ID: 2195959318-3772416878
              • Opcode ID: f9dbf5b8bbe1c9132bbee7e9f0b35d1b69182684d9bc47eeaec31eb636c4180c
              • Instruction ID: 7e9bae918d35bd8c26a94ff3f60fed9f8bbd190bd6e5f357c2e1495e7af18010
              • Opcode Fuzzy Hash: f9dbf5b8bbe1c9132bbee7e9f0b35d1b69182684d9bc47eeaec31eb636c4180c
              • Instruction Fuzzy Hash: C8418371D00258AEEB10DFA5CD46BADBBB8AF15304F1440AFE409EB292D7B85A44CF18
              Function 0048376D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00483777
              • GetLastError.KERNEL32 ref: 0048380C
              • GetLastError.KERNEL32 ref: 004838CB
              • __CxxThrowException@8.LIBCMT ref: 0048393B
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
                • Part of subcall function 00483950: __EH_prolog3_catch_GS.LIBCMT ref: 0048395A
                • Part of subcall function 00483950: __CxxThrowException@8.LIBCMT ref: 00483A19
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$Exception@8Throw$H_prolog3H_prolog3_H_prolog3_catch_
              • String ID: $X$A
              • API String ID: 3135901474-3123646424
              • Opcode ID: 3b80aa7dababe845a675b6d8d1bcbeb946af93c5d3b4eb53b0a46e021ba08f24
              • Instruction ID: 090862f0e83273a89a62f54d61051debb49e82a6f584b129f388a3cdcae9d92a
              • Opcode Fuzzy Hash: 3b80aa7dababe845a675b6d8d1bcbeb946af93c5d3b4eb53b0a46e021ba08f24
              • Instruction Fuzzy Hash: 915105B04002089ADF14FFA5C895BDE7BA46F01758F44499FFC49262E2E77C4B8ACB59
              Function 0043BC26 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129windowCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0043BC2D
                • Part of subcall function 00406550: SysFreeString.OLEAUT32(?), ref: 0040655E
              • GetErrorInfo.OLEAUT32(00000000,00000000,00000014,0043AF07,00000008,0043B54C,8007000E,00000124,0043CDCB,00000001,00000080,00446D39,?,?), ref: 0043BC61
              • CLSIDFromProgID.OLE32(?,?), ref: 0043BD07
              • FormatMessageW.KERNEL32(00001300,00000000,00000005,00000000,?,00000000,00000000), ref: 0043BD2D
              • LocalFree.KERNEL32(00000000), ref: 0043BD4F
                • Part of subcall function 0043B74E: __EH_prolog3.LIBCMT ref: 0043B755
                • Part of subcall function 00403D20: SysStringLen.OLEAUT32(?), ref: 00403D2E
                • Part of subcall function 00403D20: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00403D48
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String$FreeH_prolog3$AllocErrorFormatFromInfoLocalMessageProg
              • String ID: Unknown error
              • API String ID: 2182933432-83687255
              • Opcode ID: 86aa1925fecc1e5009c4bab4e64deea799886723abe8319f0d75ce1186609916
              • Instruction ID: 3d142e96ed8ac7bf13fb735d9a0baf4b826aafe3bfa9b630cff7e4305dc88681
              • Opcode Fuzzy Hash: 86aa1925fecc1e5009c4bab4e64deea799886723abe8319f0d75ce1186609916
              • Instruction Fuzzy Hash: 83419D71900214AFDF05DF90C849BAE7766FF49304F14419AE911AB2D2C7B9AA05CBA5
              Function 004469D2 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004469DC
              • _memset.LIBCMT ref: 004469FB
                • Part of subcall function 0041292E: __EH_prolog3_GS.LIBCMT ref: 00412935
              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00446B73
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$ExecuteShell_memset
              • String ID: ClickOncePackage$Startup$open
              • API String ID: 447700153-1966403724
              • Opcode ID: 737886df0ac0f1588e6cfef0134e52081b05ff986c100bc87fb7bc10753f3e03
              • Instruction ID: 0d26e5d7fe23198276991f4877c845f9fcd7a23fe479046ff419f0ab679f0cbe
              • Opcode Fuzzy Hash: 737886df0ac0f1588e6cfef0134e52081b05ff986c100bc87fb7bc10753f3e03
              • Instruction Fuzzy Hash: 8F416E71910168EADB24EA64CC45BDE77F8BF51704F1081EEA18AB3091DE785B88CFD9
              Function 0044DD68 Relevance: 10.6, APIs: 7, Instructions: 122fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044DD6F
              • CreateFileW.KERNEL32(0000000D,40000000,00000000,00000000,00000002,00000080,00000000,00000058,0044DFDB), ref: 0044DDCF
              • GetLastError.KERNEL32 ref: 0044DDDC
              • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0044DE5A
              • ReadFile.KERNEL32(?,00000000,00000400,?,00000000), ref: 0044DEA1
              • FlushFileBuffers.KERNEL32(00000000), ref: 0044DEB3
              • CloseHandle.KERNEL32(00000000), ref: 0044DEBA
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$BuffersCloseCreateErrorFlushH_prolog3_HandleLastReadWrite
              • String ID:
              • API String ID: 616238222-0
              • Opcode ID: 94b69c083caa6b4257c19f7fcfab5e69f5b5b0e190d8966926c01c0c0e8089f5
              • Instruction ID: 9255543efc29235cb1ae6781632229b62bbf5beed2ce461165e8b2dff57ed47b
              • Opcode Fuzzy Hash: 94b69c083caa6b4257c19f7fcfab5e69f5b5b0e190d8966926c01c0c0e8089f5
              • Instruction Fuzzy Hash: 72418071E00608AFEF10DFA8CC49BDEBBB5BF55314F14412AF911AB291D7789946CB18
              Function 004206A4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 108COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004206AE
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 00420177: __EH_prolog3_GS.LIBCMT ref: 0042017E
                • Part of subcall function 00420AA0: __EH_prolog3.LIBCMT ref: 00420AA7
                • Part of subcall function 00416398: __EH_prolog3_GS.LIBCMT ref: 004163A2
                • Part of subcall function 004202D0: __EH_prolog3_GS.LIBCMT ref: 004202D7
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 00411456: __EH_prolog3.LIBCMT ref: 0041145D
                • Part of subcall function 004873F9: __EH_prolog3_GS.LIBCMT ref: 00487403
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$ErrorLast$H_prolog3$FreeString
              • String ID: .ini$0x%04x$FontName$MS Sans Serif$Properties
              • API String ID: 827811706-3774877647
              • Opcode ID: aff426b0abe49fe2a12729721cadb39dfcc4c08fba6c917791c10891d9c2b1eb
              • Instruction ID: cb4a162fea5f904d5ab93ed517945acb8f64d2da079c8b4fb664a7040b38db62
              • Opcode Fuzzy Hash: aff426b0abe49fe2a12729721cadb39dfcc4c08fba6c917791c10891d9c2b1eb
              • Instruction Fuzzy Hash: 4541E371D00258EACB10EBA5CC46BDEBBB8AF55304F5040DEF945A3182DBB81B48CBA5
              Function 004053D0 Relevance: 10.6, APIs: 7, Instructions: 104COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(17703A82,?,00000001,00000000,?,?,?,?,?,00000000,004B3A50,000000FF,?,004040AE,00000000,00000000), ref: 00405424
              • SetLastError.KERNEL32(?,?,?,?,?,?,00000000,004B3A50,000000FF,?,004040AE,00000000,00000000), ref: 0040545A
              • GetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,004B3A50,000000FF,?,004040AE,00000000), ref: 004054A5
              • SysFreeString.OLEAUT32(00000000), ref: 004054C1
              • SysFreeString.OLEAUT32(?), ref: 004054CC
              • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004054EC
              • SetLastError.KERNEL32(00000001,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004054F6
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeString
              • String ID:
              • API String ID: 2425351278-0
              • Opcode ID: e654ec6b4ae32c1bd4828a9f227a1752ec0e6124718c683819fbbb5ceb619789
              • Instruction ID: 6abf78bd8b535260e4b4cffd1dae0f87c655adae7c3f71da43a80f469b86e426
              • Opcode Fuzzy Hash: e654ec6b4ae32c1bd4828a9f227a1752ec0e6124718c683819fbbb5ceb619789
              • Instruction Fuzzy Hash: A6413871900209EFCB00DF69C884B9EBBF4FF08318F10412AE819A7651DB35A951CF98
              Function 004960AB Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 103stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
              • GetLastError.KERNEL32 ref: 004960F1
                • Part of subcall function 004961B6: _wcsstr.LIBCMT ref: 004961C0
                • Part of subcall function 004961B6: lstrlenW.KERNEL32(?,00000000,?,00496159,00000000,2.5.4.3,?), ref: 004961D0
                • Part of subcall function 004961B6: _wcsstr.LIBCMT ref: 004961E2
              • lstrcpynW.KERNEL32(?,00000000,?,00000000,2.5.4.3,?), ref: 00496133
              • lstrlenW.KERNEL32(00000000,00000000,1.2.840.113549.1.9.1,?,00000000,2.5.4.10,?,00000000,2.5.4.11,?,00000000,2.5.4.3,?), ref: 004961AB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _wcsstrlstrlen$ErrorLast_malloclstrcpyn
              • String ID: 1.2.840.113549.1.9.1$2.5.4.10$2.5.4.11$2.5.4.3
              • API String ID: 3960672464-2689139351
              • Opcode ID: 6bd716debeb1a867b8fee62d84fe3ea1e8cc01e5ad66bc21f17260b97150c923
              • Instruction ID: 1e483c7fb0a1b2bec97ccbdc2fab162eeda5e8125bf33244a7e263361bef3bcc
              • Opcode Fuzzy Hash: 6bd716debeb1a867b8fee62d84fe3ea1e8cc01e5ad66bc21f17260b97150c923
              • Instruction Fuzzy Hash: 52314D35200605BF8B01DF69CD82DAF3AADEF48394712403AF90587252EA78DE4487A8
              Function 0042E46A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 100registryCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0042E474
                • Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
                • Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977
              • _memset.LIBCMT ref: 0042E4CA
              • RegEnumValueW.ADVAPI32(?,00000000), ref: 0042E5AC
                • Part of subcall function 004018C0: RegCloseKey.ADVAPI32(00000000,00000000,0044FF28,000001F0,?,00000000,0000000A,?,?,00000001,ServicePack,?,00000001,?,000001F0,00000000), ref: 004018CA
              Strings
              • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0042E516
              • Software\Microsoft\Windows\CurrentVersion\RunOnceEx, xrefs: 0042E54D
              • SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries, xrefs: 0042E497
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Close$EnumH_prolog3_HandleModuleValue_memset
              • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries$Software\Microsoft\Windows\CurrentVersion\RunOnce$Software\Microsoft\Windows\CurrentVersion\RunOnceEx
              • API String ID: 2943836032-2087105512
              • Opcode ID: 05e36bd2bf0a976920bd9415a17e0d4bbe006f350befcceb12ba02306b069d0f
              • Instruction ID: be1914a04bfe8c3abbeacf88de79952aeb2e1970305c812ad87c9de24359db43
              • Opcode Fuzzy Hash: 05e36bd2bf0a976920bd9415a17e0d4bbe006f350befcceb12ba02306b069d0f
              • Instruction Fuzzy Hash: 10311DF1600118AADB20DA569CC1FEE76BCAF18348F9040EEB709A2152E6745F49DF1D
              Function 0049BDB3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100stringCOMMON
              Download Yara Rule
              APIs
              • _memmove.LIBCMT ref: 0049BDFC
              • _memmove.LIBCMT ref: 0049BE1C
              • lstrcmpA.KERNEL32(0000000B,NETSCAPE2.0,?,?,?,?,00000000,?,?,0049C0EE,0049C0EF), ref: 0049BE31
              • _memmove.LIBCMT ref: 0049BE49
              • _memmove.LIBCMT ref: 0049BE6F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memmove$lstrcmp
              • String ID: NETSCAPE2.0
              • API String ID: 1993653321-1278374441
              • Opcode ID: e4d406ffea24eee2379c4774e5847a2bb6c2b7c42fdd949114229a26565ef6c6
              • Instruction ID: d9722d1b069ebd51f896c106bef7c438315836504e8805e60d5035864d7e3085
              • Opcode Fuzzy Hash: e4d406ffea24eee2379c4774e5847a2bb6c2b7c42fdd949114229a26565ef6c6
              • Instruction Fuzzy Hash: F331BEB1D00219EFCF21DFA8D845AAEBBF8FF19305F10086EE581A6242D7799644CB95
              Function 0045A8DC Relevance: 10.6, APIs: 7, Instructions: 84COMMON
              Download Yara Rule
              APIs
              • ___unDName.LIBCMT ref: 0045A90B
              • _strlen.LIBCMT ref: 0045A91E
              • __lock.LIBCMT ref: 0045A93A
              • _malloc.LIBCMT ref: 0045A94C
              • _malloc.LIBCMT ref: 0045A95D
              • _free.LIBCMT ref: 0045A9A6
                • Part of subcall function 0045ADEA: IsProcessorFeaturePresent.KERNEL32(00000017,0045ADBE,00000008,004E4388,?,?,?,?,0045ADCB,00000000,00000000,00000000,00000000,00000000,00466DA9), ref: 0045ADEC
              • _free.LIBCMT ref: 0045A99F
                • Part of subcall function 00457631: HeapFree.KERNEL32(00000000,00000000), ref: 00457645
                • Part of subcall function 00457631: GetLastError.KERNEL32(00000000), ref: 00457657
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _free_malloc$ErrorFeatureFreeHeapLastNamePresentProcessor___un__lock_strlen
              • String ID:
              • API String ID: 3704956918-0
              • Opcode ID: f108ae4d05f42f9d18202c3a8c7ee8e08641b67a0010296b04acd8e4deff5780
              • Instruction ID: 7f226fa0c04db1d044e9559d1b0b931903598bb5a2b89f4b3175a54ac003c7ca
              • Opcode Fuzzy Hash: f108ae4d05f42f9d18202c3a8c7ee8e08641b67a0010296b04acd8e4deff5780
              • Instruction Fuzzy Hash: DE210BF1A04711ABD711AB65D841B6BB794AF04316F11862FFC08DB383EA3CD819C69E
              Function 004519EB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84stringCOMMON
              Download Yara Rule
              APIs
              • lstrcpyW.KERNEL32(?,@&O,00000000), ref: 00451A24
              • lstrcpyW.KERNEL32(?,00000001), ref: 00451A2E
                • Part of subcall function 004507B2: lstrlenW.KERNEL32(?,74E2F860,?,00451A3C,?), ref: 004507BE
              • _swscanf.LIBCMT ref: 00451AA3
                • Part of subcall function 00457E8C: _vscan_fn.LIBCMT ref: 00457EA0
              • _swscanf.LIBCMT ref: 00451ACC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _swscanflstrcpy$_vscan_fnlstrlen
              • String ID: %u.%u.%u.%u$@&O
              • API String ID: 1604777239-3133600714
              • Opcode ID: 2aa74975f6b8aeea2b9d0eabcd5f918a5769d0d564254e5e7cba750e6417b6d1
              • Instruction ID: 11a785b675f7e385e824f9be468b4974bd1c82c67c113840f4b8687302bac60d
              • Opcode Fuzzy Hash: 2aa74975f6b8aeea2b9d0eabcd5f918a5769d0d564254e5e7cba750e6417b6d1
              • Instruction Fuzzy Hash: CB31E4F2D1112C9ACB11DF55DC84ACAB7BCAB48715F4045E7A609E3112D6349F89CF98
              Function 0049381F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000), ref: 0049387B
              • RegQueryValueExW.ADVAPI32(00000000,ProxyEnable,00000000,00000000,?,?,?,00000000), ref: 004938B6
              • RegQueryValueExW.ADVAPI32(00000000,AutoConfigURL,00000000,00000000,?,00000004,?,00000000), ref: 004938F0
              Strings
              • ProxyEnable, xrefs: 004938A1
              • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00493871
              • AutoConfigURL, xrefs: 004938D2
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: QueryValue$Open
              • String ID: AutoConfigURL$ProxyEnable$Software\Microsoft\Windows\CurrentVersion\Internet Settings
              • API String ID: 1606891134-3224623278
              • Opcode ID: 9f41a0618a0fb11eb4c417c516b1d1f5dee952347fbfea3742c4a60ff0be1d8d
              • Instruction ID: 1a8892a1f76032c6016ac60bb1fa928973862fc6abcdfad829d4a21e7e4c1209
              • Opcode Fuzzy Hash: 9f41a0618a0fb11eb4c417c516b1d1f5dee952347fbfea3742c4a60ff0be1d8d
              • Instruction Fuzzy Hash: C1312E71900229ABDF10DF65CC40BAEB7F8BF48710F0080AAE549A2141DE75AF84CFD4
              Function 0045CE63 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
              Download Yara Rule
              APIs
              • __lock.LIBCMT ref: 0045D3F9
                • Part of subcall function 00467E1A: __mtinitlocknum.LIBCMT ref: 00467E2C
                • Part of subcall function 00467E1A: __amsg_exit.LIBCMT ref: 00467E38
                • Part of subcall function 00467E1A: EnterCriticalSection.KERNEL32(00000000,?,004594E9,0000000D), ref: 00467E45
              • InterlockedDecrement.KERNEL32(00000000), ref: 0045D40C
              • _free.LIBCMT ref: 0045D422
                • Part of subcall function 00457631: HeapFree.KERNEL32(00000000,00000000), ref: 00457645
                • Part of subcall function 00457631: GetLastError.KERNEL32(00000000), ref: 00457657
              • __lock.LIBCMT ref: 0045D43B
              • ___removelocaleref.LIBCMT ref: 0045D44A
              • ___freetlocinfo.LIBCMT ref: 0045D463
              • _free.LIBCMT ref: 0045D476
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: __lock_free$CriticalDecrementEnterErrorFreeHeapInterlockedLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
              • String ID:
              • API String ID: 556454624-0
              • Opcode ID: b435aca7398fc61c0cdfb56da1ec91d8c62f908c137681466c25c1f60140257a
              • Instruction ID: cc2dcdd4042388414d9edcd4f0e74fd335f2bb0623c729ca739f7726ff6c32dd
              • Opcode Fuzzy Hash: b435aca7398fc61c0cdfb56da1ec91d8c62f908c137681466c25c1f60140257a
              • Instruction Fuzzy Hash: 6A01A131801700EADB346F66D84671E73A0AF0172BF24855FF855AA1D3DB7CA88CC95E
              Function 0046D3B6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Name::operator+$NameName::
              • String ID: throw(
              • API String ID: 168861036-3159766648
              • Opcode ID: 2b8c8960ed62c977d1d434c36e51f4b3fdd7b9e3a970f98702e7518f56c249cc
              • Instruction ID: e95de2f4821881b5b0de5f03bf40d91fabe4f75a249aba122f17001e0d8fe3af
              • Opcode Fuzzy Hash: 2b8c8960ed62c977d1d434c36e51f4b3fdd7b9e3a970f98702e7518f56c249cc
              • Instruction Fuzzy Hash: 68014075A00209AFCF05EFA4CC56FFE37B4AB44748F00445EB505AB291FE78AA45875A
              Function 0041E05F Relevance: 10.5, APIs: 7, Instructions: 43COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0041E066
              • GetLastError.KERNEL32(00000004,0041E1AB), ref: 0041E083
              • SysFreeString.OLEAUT32(?), ref: 0041E090
              • SetLastError.KERNEL32(?), ref: 0041E0AA
              • GetLastError.KERNEL32 ref: 0041E0BD
              • SysFreeString.OLEAUT32(?), ref: 0041E0E2
              • SetLastError.KERNEL32(?), ref: 0041E0F6
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeString$H_prolog3
              • String ID:
              • API String ID: 746121330-0
              • Opcode ID: 24c42b0b52c084f31edf9f7c4859b8416429b71999fc810586a496011475df2a
              • Instruction ID: 9e2c9c4f16bb40ac9be2d9f8bae7aedff5ffcf9bf329c5c554dbb1ff00bbf36c
              • Opcode Fuzzy Hash: 24c42b0b52c084f31edf9f7c4859b8416429b71999fc810586a496011475df2a
              • Instruction Fuzzy Hash: 4211E674504250CFCB11DF68C888A58BBF0FF09318F198599EC659B362C779E950DB18
              Function 0040F722 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 24libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(KERNEL32), ref: 0040F72B
              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040F739
              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040F750
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressProc$HandleModule
              • String ID: KERNEL32$SetDllDirectoryW$SetSearchPathMode
              • API String ID: 667068680-4129897381
              • Opcode ID: eaed5832003f27058e3b183be08352e12403a991f04dfea9785491b1fbaf33aa
              • Instruction ID: 1f99943cf1d5464384f40f07f07afa695e0d7df12a585510dee0330634e221de
              • Opcode Fuzzy Hash: eaed5832003f27058e3b183be08352e12403a991f04dfea9785491b1fbaf33aa
              • Instruction Fuzzy Hash: 4DE0EC303813106FB6212BB05C8AFAA2798EB05F5131A0136FC01E2290DBAD890446BD
              Function 0043FC9B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00441CB8: __EH_prolog3.LIBCMT ref: 00441CBF
                • Part of subcall function 00441CB8: lstrcmpiW.KERNEL32(?,00000000,0043FD27,?,?,?,17703A82,?,?,?,?,?,004AA98E,000000FF), ref: 00441D36
              • CharNextW.USER32(?), ref: 0043FDE8
              • CharNextW.USER32(00000000), ref: 0043FE05
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CharNext$H_prolog3lstrcmpi
              • String ID:
              • API String ID: 1581910369-0
              • Opcode ID: 742b87c5cdedbd022a67e983171492de9bcc28a62868989befe92ed0cf4bf5e5
              • Instruction ID: 30fb89019fcce60bf85f1d0fc318ea3cfcec3021c59833d36dc7ff1b960e5c06
              • Opcode Fuzzy Hash: 742b87c5cdedbd022a67e983171492de9bcc28a62868989befe92ed0cf4bf5e5
              • Instruction Fuzzy Hash: 74A18F71C00228DBDB25DF64CC49AEDB7B4AB18314F1141ABE709A3291D7389EA5CF99
              Function 0041DB2D Relevance: 9.2, APIs: 6, Instructions: 162COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0041DB37
              • GlobalLock.KERNEL32 ref: 0041DB5F
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              • _wcsncpy.LIBCMT ref: 0041DC66
              • _memmove.LIBCMT ref: 0041DD0E
              • _memmove.LIBCMT ref: 0041DD33
              • GlobalUnlock.KERNEL32 ref: 0041DD4C
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeGlobalLastString_memmove$H_prolog3_LockUnlock_wcsncpy
              • String ID:
              • API String ID: 2730803256-0
              • Opcode ID: 70edc33611582e0ed3b8ccc07aa326e961144780493a913ef8c10d5ad67dbf57
              • Instruction ID: a8fed6407f67b26b0527a7e6f6a00ae9c84c361852f89cc2f3fc0d7b9dabfbea
              • Opcode Fuzzy Hash: 70edc33611582e0ed3b8ccc07aa326e961144780493a913ef8c10d5ad67dbf57
              • Instruction Fuzzy Hash: 21618F71D01219CBEB24EF65CC41BDAB7B5BF40314F1482EAE409A7291EB789AC4CF19
              Function 00408180 Relevance: 9.2, APIs: 6, Instructions: 154fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408251
              • ReadFile.KERNEL32(00000000,?,00004000,?,00000000), ref: 00408288
              • GetLastError.KERNEL32 ref: 00408296
              • GetLastError.KERNEL32 ref: 004082A1
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFileLast$CreateRead
              • String ID:
              • API String ID: 1307834717-0
              • Opcode ID: cc6852c910329960102cd454bbe554122029045e8347eb73b7a8e62e4e7243a6
              • Instruction ID: 8ab9acfb780235b0232321064b0c19b790bf691cab16af1c8751cde6a79c1a31
              • Opcode Fuzzy Hash: cc6852c910329960102cd454bbe554122029045e8347eb73b7a8e62e4e7243a6
              • Instruction Fuzzy Hash: 14518B715087009FD320DF68D984B5BB7E4BB88B14F104A2EF995A73D0DB39E909CB5A
              Function 0043859C Relevance: 9.1, APIs: 6, Instructions: 118COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memset$BrowseFolderFromH_prolog3_ListMallocPath
              • String ID:
              • API String ID: 1804835819-0
              • Opcode ID: 72dd7eda4a1615a05d8a2ae3cc6dc59ab54f67ccf2a7dfe8304ccfaa4f589fff
              • Instruction ID: 7ee666e1b540306aff9ee796656937a0477be39d84cdda5f4ebe6f9fbbd55e3f
              • Opcode Fuzzy Hash: 72dd7eda4a1615a05d8a2ae3cc6dc59ab54f67ccf2a7dfe8304ccfaa4f589fff
              • Instruction Fuzzy Hash: EF413071A00258EEDB20EB64CC45BDEB7F8BF45304F1481EAA489A7251DF389A85CF95
              Function 00489DBE Relevance: 9.1, APIs: 6, Instructions: 110registryCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00489DC5
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
                • Part of subcall function 0048B489: __EH_prolog3.LIBCMT ref: 0048B490
              • LoadTypeLib.OLEAUT32(?,?), ref: 00489E3B
              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00489E55
              • RegOverridePredefKey.ADVAPI32(80000000,00000000), ref: 00489EF7
                • Part of subcall function 0048A8B4: GetVersionExW.KERNEL32(?), ref: 0048A8D8
                • Part of subcall function 00480EFC: RegOverridePredefKey.ADVAPI32(80000000,?), ref: 00480F34
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3$ErrorLastOverridePredefType$LoadRegisterVersion
              • String ID:
              • API String ID: 3828359244-0
              • Opcode ID: 54db0533ca348088b31ee34cb1d9dde3b4dd099497da4febdf216fc0857fb5fe
              • Instruction ID: 1223e5688a2a292c91c61e279ac1a8702171f2ca043e883348a9b424df27bf50
              • Opcode Fuzzy Hash: 54db0533ca348088b31ee34cb1d9dde3b4dd099497da4febdf216fc0857fb5fe
              • Instruction Fuzzy Hash: 79418370500209EFDF04EFA5C844BBE3BA8AF04308F54895EF8159B291D779DA45CB65
              Function 0044EE9D Relevance: 9.1, APIs: 6, Instructions: 99fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memset$ErrorFileLastWrite_malloc_memmove_strcat
              • String ID:
              • API String ID: 3885684527-0
              • Opcode ID: 7099ccfb1823b32ecd60542001627e990b01972215cabd62021b1b29f9980f94
              • Instruction ID: 625ac2c535011c4d0ff36fcee92393cb262bdd08306892e99702488af19e4d5e
              • Opcode Fuzzy Hash: 7099ccfb1823b32ecd60542001627e990b01972215cabd62021b1b29f9980f94
              • Instruction Fuzzy Hash: 503159B5A01A05BFD350DF69C98199AB7F8FF08304B00442EE859C3B01E734AA64CBA8
              Function 0044D7BF Relevance: 9.1, APIs: 6, Instructions: 99fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044D7C6
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000048,0044DB02,?,00000000,00000000,?,00000000,00000000,00000000), ref: 0044D800
              • GetLastError.KERNEL32(?,?,00000084,0044EC35,?,?,?,?,?,?), ref: 0044D80D
              • WriteFile.KERNEL32(?,00000000,?,00000000,00000000), ref: 0044D888
              • ReadFile.KERNEL32(00000000,00000000,00000400,?,00000000,?,?,00000084,0044EC35,?,?,?,?,?,?), ref: 0044D8BD
              • CloseHandle.KERNEL32(00000000,?,?,00000084,0044EC35,?,?,?,?,?,?), ref: 0044D8D3
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$CloseCreateErrorH_prolog3_HandleLastReadWrite
              • String ID:
              • API String ID: 3672180352-0
              • Opcode ID: 0f8bba54aec5f9560ce22383b37320f709bbd59401c95414217a47a589c9a4da
              • Instruction ID: 83d4dda880316ff8dc314c176ac6340b1aeef4579a1ce41c0fb047a1eb7557a1
              • Opcode Fuzzy Hash: 0f8bba54aec5f9560ce22383b37320f709bbd59401c95414217a47a589c9a4da
              • Instruction Fuzzy Hash: F4318170E00204AFEF14EFA5CC45BAE77B8AF45704F14412AF911AB2D1DB78AD05CB18
              Function 0049BB70 Relevance: 9.1, APIs: 6, Instructions: 94fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,17703A82,?,?), ref: 0049BBBE
              • CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,?,?), ref: 0049BBD6
              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?), ref: 0049BBEE
              • GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 0049BC04
              • CloseHandle.KERNEL32(00000000,?,?), ref: 0049BC3C
              • CloseHandle.KERNEL32(?,?,?), ref: 0049BC48
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$CloseCreateHandle$MappingSizeView
              • String ID:
              • API String ID: 2246244431-0
              • Opcode ID: b2a70af07973d9ee49d977d5b14ea317aa4317cb16905367b6267f347b044040
              • Instruction ID: d5dae57cd459dbf8191621248d272084f8de0a17e58ee2fdbae0e65b10e19cd2
              • Opcode Fuzzy Hash: b2a70af07973d9ee49d977d5b14ea317aa4317cb16905367b6267f347b044040
              • Instruction Fuzzy Hash: 5D318475600344BBDB209F659D85F6BBFA8EB45B10F14453EFD21A73C1CB799900C6A8
              Function 004044D0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00405900: GetLastError.KERNEL32(00000001,?,17703A82,00000000,00000000,?,?,004B3D18,000000FF,?,00404524), ref: 00405974
                • Part of subcall function 00405900: SetLastError.KERNEL32(?,?,00000000,000000FF,?,00404524), ref: 004059C2
              • GetLastError.KERNEL32 ref: 00404531
              • SysFreeString.OLEAUT32(?), ref: 0040454F
              • SysFreeString.OLEAUT32(?), ref: 0040455C
              • SetLastError.KERNEL32(?), ref: 00404586
              • GetLastError.KERNEL32 ref: 00404595
              • SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 004045EF
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeString
              • String ID:
              • API String ID: 2425351278-0
              • Opcode ID: 48239ddd3d06e8d48d3c865d62f544c69ea939f8fcea2eacf36c55317d888e42
              • Instruction ID: 81959b20e24b551f0f221fcf1ffad6dcf712db96cd00c4931a95d955ce679c90
              • Opcode Fuzzy Hash: 48239ddd3d06e8d48d3c865d62f544c69ea939f8fcea2eacf36c55317d888e42
              • Instruction Fuzzy Hash: F33157B1508741AFD700DF29C884B0ABBE4FF88318F104A2EF955876A0D779E815CF8A
              Function 00404620 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 004059E0: SysFreeString.OLEAUT32(?), ref: 00405A42
                • Part of subcall function 004059E0: GetLastError.KERNEL32(17703A82,00000000,00000000,?,?,?,004B4108,000000FF,?,00404674), ref: 00405A6D
                • Part of subcall function 004059E0: SetLastError.KERNEL32(?,?,00000000,000000FF,?,00404674), ref: 00405ABE
              • GetLastError.KERNEL32 ref: 00404681
              • SysFreeString.OLEAUT32(?), ref: 0040469F
              • SysFreeString.OLEAUT32(?), ref: 004046AC
              • SetLastError.KERNEL32(?), ref: 004046D6
              • GetLastError.KERNEL32 ref: 004046E5
              • SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 0040473F
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeString
              • String ID:
              • API String ID: 2425351278-0
              • Opcode ID: 0123644913e37a3a623a70620948ef2d1e8419a75b4a473cff091b25654f4f7b
              • Instruction ID: 27e41aab6024893712bf86cf20270215de8fa56dd0ef44edcf1c56e1565cc743
              • Opcode Fuzzy Hash: 0123644913e37a3a623a70620948ef2d1e8419a75b4a473cff091b25654f4f7b
              • Instruction Fuzzy Hash: 853139B1508741AFD700DF19C884B16BBE4FF88318F104A2EF955976A1D77AE815CF8A
              Function 00450338 Relevance: 9.1, APIs: 6, Instructions: 68stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,0042D176,?,0000000C,0000000C,?,?,00000000,?,?,?), ref: 0045034F
              • lstrcpyW.KERNEL32(00000000,?,?,?,0042D176,?,0000000C,0000000C,?,?,00000000,?,?,?,CacheFolder,?), ref: 0045036E
              • lstrcatW.KERNEL32(00000000,004B7EE0,?,?,0042D176,?,0000000C,0000000C,?,?,00000000,?,?,?,CacheFolder,?), ref: 0045037A
              • lstrlenW.KERNEL32(00000000,?,?,0042D176,?,0000000C,0000000C,?,?,00000000,?,?,?,CacheFolder,?,00000001), ref: 00450383
              • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0042D176,?,0000000C,0000000C,?,?,00000000,?,?,?,CacheFolder,?), ref: 0045039D
              • GetLastError.KERNEL32(?,?,0042D176,?,0000000C,0000000C,?,?,00000000,?,?,?,CacheFolder,?,00000001,004CBE7C), ref: 004503A7
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: lstrlen$CreateDirectoryErrorLastlstrcatlstrcpy
              • String ID:
              • API String ID: 4043630017-0
              • Opcode ID: fe72278b6e4cbd0253f2b7f4ac0cd466b1839723445ff1633cdf5be8da723f71
              • Instruction ID: fe83cec9c6eba957302934393877ddc1714fdfa42e5edaf9aa616274f09b32e2
              • Opcode Fuzzy Hash: fe72278b6e4cbd0253f2b7f4ac0cd466b1839723445ff1633cdf5be8da723f71
              • Instruction Fuzzy Hash: D411E076600301ABEB145B79DC46BAF7BA8EF04356F20542BFD05C6292EA7CD8448B68
              Function 004284CA Relevance: 9.1, APIs: 6, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 004284D1
              • GetLastError.KERNEL32(00000004,0042849C,?,00000000,?,00000001), ref: 004284F3
              • SetLastError.KERNEL32(?), ref: 0042852E
              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 0042854F
              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000037,00000000,00000000,00000000), ref: 00428576
              • SetLastError.KERNEL32(?), ref: 00428584
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$ByteCharMultiWide$H_prolog3
              • String ID:
              • API String ID: 1573742327-0
              • Opcode ID: 0aad037f37a065720ba807a250c66e62e0b1f833d06094152338e3576881f839
              • Instruction ID: 57ba7122a784066198f9abfa47bc5c27e66b1ca03e5ed35c8aba3c4b229c8c2f
              • Opcode Fuzzy Hash: 0aad037f37a065720ba807a250c66e62e0b1f833d06094152338e3576881f839
              • Instruction Fuzzy Hash: A5213674504205EFDB10CF68D848B5ABBF4FF08314F11856EF9598B6A1C779AA90CB98
              Function 0045067C Relevance: 9.1, APIs: 6, Instructions: 61stringCOMMON
              Download Yara Rule
              APIs
              • lstrcpyW.KERNEL32(?,?,-00000004,00000008,00000000), ref: 004506B5
              • _wcsrchr.LIBCMT ref: 004506C0
              • _wcsrchr.LIBCMT ref: 004506D6
              • CharNextW.USER32(00000000), ref: 004506E4
              • lstrcpyW.KERNEL32(?,?), ref: 004506FE
              • lstrcpyW.KERNEL32(?,00000000), ref: 00450707
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: lstrcpy$_wcsrchr$CharNext
              • String ID:
              • API String ID: 3722002711-0
              • Opcode ID: 45356dba792610ef80d57b9610d7f789a54f94dbb54b09bf55517197d491f2e8
              • Instruction ID: c63b7eba63a3eca14cdcb671caae92bfc0b57fcaf1dad677a6553e8df4bc9629
              • Opcode Fuzzy Hash: 45356dba792610ef80d57b9610d7f789a54f94dbb54b09bf55517197d491f2e8
              • Instruction Fuzzy Hash: 7C114F76904218ABCB60DF64DC81A9E77F8FF48715F1085AAE945E3241DE349E488B98
              Function 0044767E Relevance: 9.1, APIs: 6, Instructions: 60stringCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: lstrcpylstrlen$FileModuleName_memset
              • String ID:
              • API String ID: 1771775811-0
              • Opcode ID: 485ac0bde4a7a949b44a93a7784e7b652754435f95e370a242899e59ed8c0b9f
              • Instruction ID: cbfe7e7954ec106ed8214b405d61cfb3424ff0731829bc21eb003b2519c6c419
              • Opcode Fuzzy Hash: 485ac0bde4a7a949b44a93a7784e7b652754435f95e370a242899e59ed8c0b9f
              • Instruction Fuzzy Hash: 6C11C4B6A41104ABDB54DF74DD09E9EB3FCBB04314F04816AEA06D2251DF389A098B98
              Function 00459553 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
              Download Yara Rule
              APIs
              • __init_pointers.LIBCMT ref: 00459553
                • Part of subcall function 00458F38: EncodePointer.KERNEL32(00000000,?,00459558,00457FB9,004E42E0,00000014), ref: 00458F3B
                • Part of subcall function 00458F38: __initp_misc_winsig.LIBCMT ref: 00458F5C
                • Part of subcall function 00458F38: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0046247D
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00462491
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004624A4
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004624B7
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004624CA
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 004624DD
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 004624F0
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00462503
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00462516
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00462529
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0046253C
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0046254F
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00462562
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00462575
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00462588
                • Part of subcall function 00458F38: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0046259B
              • __mtinitlocks.LIBCMT ref: 00459558
                • Part of subcall function 00467F69: InitializeCriticalSectionAndSpinCount.KERNEL32(0GO,00000FA0,?,?,0045955D,00457FB9,004E42E0,00000014), ref: 00467F87
              • __mtterm.LIBCMT ref: 00459561
                • Part of subcall function 004595C9: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00459566,00457FB9,004E42E0,00000014), ref: 00467E85
                • Part of subcall function 004595C9: _free.LIBCMT ref: 00467E8C
                • Part of subcall function 004595C9: DeleteCriticalSection.KERNEL32(0GO,?,?,00459566,00457FB9,004E42E0,00000014), ref: 00467EAE
              • __calloc_crt.LIBCMT ref: 00459586
              • GetCurrentThreadId.KERNEL32 ref: 004595AF
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressProc$CriticalSection$Delete$CountCurrentEncodeHandleInitializeModulePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
              • String ID:
              • API String ID: 2930087205-0
              • Opcode ID: eb688415062ad213b0213067501c04fc0ba5ff84988581d7d87c6e7328a2f8f5
              • Instruction ID: 6d59189d733412809d845c87a68ad5d057ace3d6e1a9b1d6cbf69465d8dccc19
              • Opcode Fuzzy Hash: eb688415062ad213b0213067501c04fc0ba5ff84988581d7d87c6e7328a2f8f5
              • Instruction Fuzzy Hash: F3F0CD33509612BEEA29B7367D0365A27C48B0273AB20062FFC50C81D3FF9C8C55815C
              Function 004293BF Relevance: 9.0, APIs: 6, Instructions: 44filestringCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(004EF8A8,40000000,00000000,00000000,00000004,00000080,00000000), ref: 004293DB
              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 004293ED
              • lstrlenW.KERNEL32(?,?,00000000), ref: 004293FB
              • WriteFile.KERNEL32(00000000,?,00000000), ref: 00429406
              • WriteFile.KERNEL32(00000000,004B6818,00000002,?,00000000), ref: 00429419
              • CloseHandle.KERNEL32(00000000), ref: 00429420
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$Write$CloseCreateHandlePointerlstrlen
              • String ID:
              • API String ID: 4224374842-0
              • Opcode ID: b9790b791df8e138838989851c1249184ebb2b2556f5edfa127750de7b02f9c7
              • Instruction ID: 474213ba733cb80ad1496be55bd01eb257fcbbdfc352fa75962feb43ebabefac
              • Opcode Fuzzy Hash: b9790b791df8e138838989851c1249184ebb2b2556f5edfa127750de7b02f9c7
              • Instruction Fuzzy Hash: B9F030B2240208BFE7112BD9ECCAFBF36ACE789B99F114225FA0191090D7795D055B38
              Function 0043E5F1 Relevance: 9.0, APIs: 6, Instructions: 30windowCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(00000000,00000000), ref: 0043E612
              • EnableWindow.USER32(00000000), ref: 0043E615
              • GetDlgItem.USER32(00000000,00000001), ref: 0043E62C
              • EnableWindow.USER32(00000000), ref: 0043E62F
              • GetDlgItem.USER32(00000000), ref: 0043E63E
              • SetFocus.USER32(00000000), ref: 0043E641
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Item$EnableWindow$Focus
              • String ID:
              • API String ID: 864471436-0
              • Opcode ID: c2168854c238cd141973858596193e733cab84426af38d4d4160a8a660dc6657
              • Instruction ID: ed8de3f87eb38ccadc3d6b5b21d47c0bcffa5bca7208ba2711b6e36132294b0a
              • Opcode Fuzzy Hash: c2168854c238cd141973858596193e733cab84426af38d4d4160a8a660dc6657
              • Instruction Fuzzy Hash: 0AF0D432041249EBCF21AF51ED09BAB3B6AFB94715F554526F600510B0CB7AA870DE6C
              Function 00435C80 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 169COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00435C8A
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 0044561A: __EH_prolog3_GS.LIBCMT ref: 00445624
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                • Part of subcall function 004388B1: __EH_prolog3_catch.LIBCMT ref: 004388B8
                • Part of subcall function 004388B1: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 004388CC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeH_prolog3_String$Concurrency::details::_Concurrent_queue_base_v4::_H_prolog3_catchInternal_throw_exception
              • String ID: 1033$J#Version$SOFTWARE\Microsoft\Visual JSharp Setup\Redist$Startup
              • API String ID: 1602809483-1919874662
              • Opcode ID: a491800145bb40478f223a3cf12ee623a42a117e0096218f932ce4467a3df56e
              • Instruction ID: 3427d6401101a9f798e1b010a5ce12869a262f748cbdae8b859d02c2724d94d0
              • Opcode Fuzzy Hash: a491800145bb40478f223a3cf12ee623a42a117e0096218f932ce4467a3df56e
              • Instruction Fuzzy Hash: 38614A71900268DADB20DB94C981BEDB7B8AF54304F5484EBE10AB7181DB785F85CFA5
              Function 004444E6 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 152COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004444F0
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 00416071: SysStringLen.OLEAUT32(?), ref: 0041607E
                • Part of subcall function 00416071: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00416098
                • Part of subcall function 00418F22: __EH_prolog3.LIBCMT ref: 00418F29
                • Part of subcall function 00419D16: __EH_prolog3_GS.LIBCMT ref: 00419D20
                • Part of subcall function 00419D16: SysStringLen.OLEAUT32(?), ref: 00419E46
                • Part of subcall function 00419D16: SysFreeString.OLEAUT32(?), ref: 00419E55
                • Part of subcall function 00419D16: SysFreeString.OLEAUT32(?), ref: 00419E9A
                • Part of subcall function 004193C8: __EH_prolog3.LIBCMT ref: 004193CF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String$ErrorFreeH_prolog3H_prolog3_Last$Alloc
              • String ID: IS_temp$eprq$runfromtemp$tempdisk1folder
              • API String ID: 2107722048-2885546089
              • Opcode ID: 1394f50ccfef5493babb5641465e744e8d586d5cff920d8e25adcc7afae8b2fb
              • Instruction ID: a19a90aeaa2634fe125f4e39c113ca8b01b9fad838d09f18ca7e54c66dfe822e
              • Opcode Fuzzy Hash: 1394f50ccfef5493babb5641465e744e8d586d5cff920d8e25adcc7afae8b2fb
              • Instruction Fuzzy Hash: C3516D31800158EADB21EBA1CC95FDEBB75AF51308F1080EEE00977192DBB85F89CB65
              Function 00481468 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143COMMON
              Download Yara Rule
              APIs
              • _memmove.LIBCMT ref: 004814DB
              • _memmove.LIBCMT ref: 00481514
              • _memmove.LIBCMT ref: 0048154C
              • _memmove.LIBCMT ref: 00481575
                • Part of subcall function 00452CDB: std::exception::exception.LIBCMT ref: 00452CEE
                • Part of subcall function 00452CDB: __CxxThrowException@8.LIBCMT ref: 00452D03
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throwstd::exception::exception
              • String ID: deque<T> too long
              • API String ID: 1300846289-309773918
              • Opcode ID: 46ecc67e3349748ca81e3c632e5a904685fda14d9f875b6e8d0b5c5b712bfc9c
              • Instruction ID: 6431849aa423b58247fd54b9e541669959c2632800b9f9d9f53310e540876180
              • Opcode Fuzzy Hash: 46ecc67e3349748ca81e3c632e5a904685fda14d9f875b6e8d0b5c5b712bfc9c
              • Instruction Fuzzy Hash: DE41E872D00625ABC710DF69CC4299FB7ACEB40354B148A2BE829E3251D774EE15CBD8
              Function 0043CA76 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 123COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0043CA80
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 004457A9: __EH_prolog3_GS.LIBCMT ref: 004457B0
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                • Part of subcall function 00403B80: GetLastError.KERNEL32 ref: 00403B9F
                • Part of subcall function 00403B80: SetLastError.KERNEL32(?), ref: 00403BCF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeH_prolog3_String
              • String ID: %s%d$UpgardeTable$count$key
              • API String ID: 2608676048-2647550720
              • Opcode ID: 673d01016d970257852c7676c7f410f273f5a62068b9db32462bc9dfaa8be924
              • Instruction ID: de920e4fb2bab8fe0a5b225d3abd3fce175785bffe0fcbd15dc8079e64fa0cec
              • Opcode Fuzzy Hash: 673d01016d970257852c7676c7f410f273f5a62068b9db32462bc9dfaa8be924
              • Instruction Fuzzy Hash: C651AF31910258EEEB14EBA1CD95BDEB7B8BB14308F5400AEE105B70C2DBB86B48CB55
              Function 004437DA Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004437E4
              • __itow.LIBCMT ref: 004438A0
                • Part of subcall function 00444B3B: __EH_prolog3.LIBCMT ref: 00444B42
                • Part of subcall function 00429B98: __EH_prolog3_GS.LIBCMT ref: 00429BA2
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeH_prolog3_LastString$H_prolog3__itow
              • String ID: /Q$ /l$/p"
              • API String ID: 2909596346-3368241770
              • Opcode ID: c4b0756eb30469848fca3e1c2f513336dc720d64d051bc08559e1453afc94e65
              • Instruction ID: 79381e476e9f816922c84290d3d3506325634f21010552d6b2a397e5d478e8ad
              • Opcode Fuzzy Hash: c4b0756eb30469848fca3e1c2f513336dc720d64d051bc08559e1453afc94e65
              • Instruction Fuzzy Hash: A231E170900114AADB10FB65CC92BFEB3A8BB10314F04419EF549971D2EF78AE85CB98
              Function 00420866 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 93COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00420870
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 00420177: __EH_prolog3_GS.LIBCMT ref: 0042017E
                • Part of subcall function 00420AA0: __EH_prolog3.LIBCMT ref: 00420AA7
                • Part of subcall function 00416398: __EH_prolog3_GS.LIBCMT ref: 004163A2
                • Part of subcall function 004202D0: __EH_prolog3_GS.LIBCMT ref: 004202D7
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 00411456: __EH_prolog3.LIBCMT ref: 0041145D
                • Part of subcall function 004872FE: __EH_prolog3_GS.LIBCMT ref: 00487308
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$ErrorLast$H_prolog3$FreeString
              • String ID: .ini$0x%04x$FontSize$Properties
              • API String ID: 827811706-3572762767
              • Opcode ID: f64c4fd2e1117077fd801f0cfc4b5df29610fbcf4b4eb1c27bf12d03daa00b65
              • Instruction ID: 59a2fc1b7e39581cafac379e0d0cdfa41eed3f6cf26c3721e617ce18c8150982
              • Opcode Fuzzy Hash: f64c4fd2e1117077fd801f0cfc4b5df29610fbcf4b4eb1c27bf12d03daa00b65
              • Instruction Fuzzy Hash: DB31D331E00258EADB00E7A4CC56BDDBBB46B55308F5000DEF545B71C2EBB81B48CBA6
              Function 00489A20 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00489A27
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
                • Part of subcall function 0048B489: __EH_prolog3.LIBCMT ref: 0048B490
                • Part of subcall function 004166AC: __EH_prolog3_GS.LIBCMT ref: 004166B6
                • Part of subcall function 00489CCD: __EH_prolog3_GS.LIBCMT ref: 00489CD4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$ErrorH_prolog3Last
              • String ID: .DLL$.EXE$.OCX$.TLB
              • API String ID: 1247511005-324785130
              • Opcode ID: d1b49ef626bc436b62183c8f7942e46073c5a7c653db4ecb081d91eafbb91d1a
              • Instruction ID: 003714e7729fcdd7f58bb8320c9872180ea9b81a7465d692a91257191b0107fa
              • Opcode Fuzzy Hash: d1b49ef626bc436b62183c8f7942e46073c5a7c653db4ecb081d91eafbb91d1a
              • Instruction Fuzzy Hash: 1231E874900108AECF08FF65C892AFE3B68AF4534CF50006FF80596221EB7D9D86C799
              Function 0040F766 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78libraryCOMMON
              Download Yara Rule
              APIs
              • _strstr.LIBCMT ref: 0040F7AB
              • _memset.LIBCMT ref: 0040F7D1
              • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 0040F7E5
              • LoadLibraryA.KERNEL32(00000000), ref: 0040F83B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: DirectoryLibraryLoadSystem_memset_strstr
              • String ID: api-ms-win-core-
              • API String ID: 3657221724-1285793476
              • Opcode ID: f6f17b422ac59531fc3050b843f44d630e76d4077d78a30c5ba4c8607d6a9dfd
              • Instruction ID: c561a2ed14f1caa021a0df6201da11d9c12591faa0e180ef25adc9aa6b06ac0d
              • Opcode Fuzzy Hash: f6f17b422ac59531fc3050b843f44d630e76d4077d78a30c5ba4c8607d6a9dfd
              • Instruction Fuzzy Hash: 0021E7329042449FDB70EB649884BDA77E89F11308F1484BAD8C5A76C1D7786A8CCB54
              Function 00423A44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68libraryCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00423A4B
                • Part of subcall function 00411456: __EH_prolog3.LIBCMT ref: 0041145D
              • LoadLibraryW.KERNEL32(?,?,00000001,0000006C,004348EF,?,00000000,?,00000000), ref: 00423A74
              • GetLastError.KERNEL32 ref: 00423A8B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorH_prolog3H_prolog3_LastLibraryLoad
              • String ID: Failed to load ISSetup.dll$IsMsiHelper.cpp
              • API String ID: 1370564055-251664514
              • Opcode ID: 277c35535ca201d77fbea90df8d530cbafa90a06509ee43c92772263b574b285
              • Instruction ID: ee31b1d1329e1ff83c671ac48bab6aff60a96e19d7fb519bd4608544b3c4f485
              • Opcode Fuzzy Hash: 277c35535ca201d77fbea90df8d530cbafa90a06509ee43c92772263b574b285
              • Instruction Fuzzy Hash: E421A170A04254EBEB20DBA4DD49BDEBBB4BB11309F54006EF441A71D2C7BD5B48CBA9
              Function 00451B06 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
              • FormatMessageW.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000,00000000,00000000), ref: 00451B33
              • _memset.LIBCMT ref: 00451B53
              • wsprintfW.USER32 ref: 00451B6B
                • Part of subcall function 0045007A: __EH_prolog3_GS.LIBCMT ref: 00450084
              • LocalFree.KERNEL32(?), ref: 00451B86
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: FormatFreeH_prolog3_LocalMessage_memsetwsprintf
              • String ID: %s %s
              • API String ID: 1431993970-2939940506
              • Opcode ID: 78ba1368763aa333557a88fb101be32affc65425defd8a52e1c80fe822933895
              • Instruction ID: 2fffba74051613e6ea54aa368a96d4b13042a0ce6f5790b79c1719197a6ece70
              • Opcode Fuzzy Hash: 78ba1368763aa333557a88fb101be32affc65425defd8a52e1c80fe822933895
              • Instruction Fuzzy Hash: F1019275900158BBDB609FA6DC09EDB7BFCFB85B01F0040A9B945D2151DE34AA88CBA8
              Function 00450CAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43stringCOMMON
              Download Yara Rule
              APIs
              • wsprintfW.USER32 ref: 00450CD5
                • Part of subcall function 004505DE: lstrcpyW.KERNEL32(?,?,?,?), ref: 00450622
                • Part of subcall function 004505DE: _wcsrchr.LIBCMT ref: 0045062D
                • Part of subcall function 004505DE: CharNextW.USER32(00000000), ref: 0045063B
                • Part of subcall function 004505DE: lstrcpyW.KERNEL32(?,?), ref: 00450659
                • Part of subcall function 004505DE: lstrcpyW.KERNEL32(?,00000000), ref: 00450662
                • Part of subcall function 00450202: lstrlenW.KERNEL32(?,?,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F,00000000,000008A8,00428637), ref: 0045020A
                • Part of subcall function 00450202: lstrcpynW.KERNEL32(?,?,-00000001,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F,00000000,000008A8), ref: 0045022E
                • Part of subcall function 00450202: lstrcatW.KERNEL32(?,?,?,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F,00000000,000008A8), ref: 0045024B
              • lstrcatW.KERNEL32(?,.ini,?,?,?,004F2640,?,?), ref: 00450D07
              • lstrcpyW.KERNEL32(?,?), ref: 00450D16
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: lstrcpy$lstrcat$CharNext_wcsrchrlstrcpynlstrlenwsprintf
              • String ID: %#04x$.ini
              • API String ID: 3831616985-866680231
              • Opcode ID: 64f1a1402763db1b474817d571c195378b66bc41e5346cd47120e96be65e61bf
              • Instruction ID: 1cbef38d783600110349d02eba51c1fa8b39015c3f8b8945913d205ad5fbcdae
              • Opcode Fuzzy Hash: 64f1a1402763db1b474817d571c195378b66bc41e5346cd47120e96be65e61bf
              • Instruction Fuzzy Hash: 0F01FB7590011CBBCB10EFA9DC45DEE77BCFF48715B108066FD11E2241DB79AA098BA9
              Function 0044043A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00440461
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00440471
                • Part of subcall function 00440C91: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00440451,?,?), ref: 00440CA3
                • Part of subcall function 00440C91: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00440CB3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: Advapi32.dll$RegDeleteKeyExW
              • API String ID: 1646373207-2191092095
              • Opcode ID: 22c1c594ac706e2f65c97c75440e7b05d9f01640d44c573238a05ab1736c8dc0
              • Instruction ID: 1c9267efacf87b4e3202b0da69200276e8b00c3563604a00ae1e4f1cb49d7e1c
              • Opcode Fuzzy Hash: 22c1c594ac706e2f65c97c75440e7b05d9f01640d44c573238a05ab1736c8dc0
              • Instruction Fuzzy Hash: 5C01D639104200EFEB215F61EC00FA63BA5AB04390F10453AFB8292230C7BB8970DB9D
              Function 004287A2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.ADVAPI32(80000001,Software\InstallShield\ISWI\7.0\SetupExeLog,00000000,00000001,?), ref: 004287BC
              • RegQueryValueExW.ADVAPI32(?,SetupLogFileName,00000000,00000000,004EF8A8,?), ref: 004287E2
              • RegCloseKey.ADVAPI32(?), ref: 004287FD
              Strings
              • Software\InstallShield\ISWI\7.0\SetupExeLog, xrefs: 004287B2
              • SetupLogFileName, xrefs: 004287D3
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: SetupLogFileName$Software\InstallShield\ISWI\7.0\SetupExeLog
              • API String ID: 3677997916-622478307
              • Opcode ID: e8b184dcb75f2e09ee2d12a12c00c81683928bcefa76c3559f5503a806f542b8
              • Instruction ID: 56a4a21a7a78374784c1403d22c00a14906b5d8c0e5dc038b8c603a47fa3af4c
              • Opcode Fuzzy Hash: e8b184dcb75f2e09ee2d12a12c00c81683928bcefa76c3559f5503a806f542b8
              • Instruction Fuzzy Hash: B4F05471244284BBEB10AB929C8AF9E7BEDDB85B01F500179B501E1091D3B45604D738
              Function 00427C2B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CharNext
              • String ID: /m1$/m2
              • API String ID: 3213498283-2289526375
              • Opcode ID: 181c844d6dee68f35a54243ae44a53ab404c784f3ad44de9a05101e6d973db66
              • Instruction ID: 42e213d6875e3b986737cf0a4b444ef3d7dc937c8dd2d5882fe7d2f336284330
              • Opcode Fuzzy Hash: 181c844d6dee68f35a54243ae44a53ab404c784f3ad44de9a05101e6d973db66
              • Instruction Fuzzy Hash: 52E02B3031D534EA8A1467B55C7257E291CAB8235C3E403AFB002610D1CE7C1C02E9BE
              Function 0048C09A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00450985,000000BC,0042DDE4,?,004CC0A0,00000000,?,?,?,?,0000000C), ref: 0048C0AD
              • GetProcAddress.KERNEL32(00000000), ref: 0048C0B4
              • GetCurrentProcess.KERNEL32(00000000,?,?,00450985,000000BC,0042DDE4,?,004CC0A0,00000000,?,?,?,?,0000000C,0000000C,?), ref: 0048C0C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressCurrentHandleModuleProcProcess
              • String ID: IsWow64Process$kernel32
              • API String ID: 4190356694-3789238822
              • Opcode ID: ab8b6f9b55f86a24c6b947fcbd7bb8958ef1a1c8348125f5664bde1fb93cb292
              • Instruction ID: 05e802baa81719f3e7c65f959f7ac8f297b303af8db9d5ab34a4e2548141ceca
              • Opcode Fuzzy Hash: ab8b6f9b55f86a24c6b947fcbd7bb8958ef1a1c8348125f5664bde1fb93cb292
              • Instruction Fuzzy Hash: 8FE04F76801718FBDB10A7F09C0DF9F76ACAB04795B150A66E801E7150D67C994096A8
              Function 00407010 Relevance: 7.7, APIs: 6, Instructions: 204COMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,17703A82,74DEE010,004CBCD0,?), ref: 004070A0
              • MultiByteToWideChar.KERNEL32(?,00000000,?), ref: 004070DA
              • GetLastError.KERNEL32 ref: 00407169
              • SetLastError.KERNEL32(004CC554,004CBE7C,00000000), ref: 004071CB
              • GetLastError.KERNEL32 ref: 00407220
              • SetLastError.KERNEL32(004CC554,004CBE7C,00000000), ref: 00407285
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$ByteCharMultiWide
              • String ID:
              • API String ID: 3361762293-0
              • Opcode ID: 7579f5f35316cb7d0d3f50700c3740156b1fce34afd16daef4c5e2216baef1eb
              • Instruction ID: f580737876628421840d4ae687779eabd0e2179319924c3403442025290d6a24
              • Opcode Fuzzy Hash: 7579f5f35316cb7d0d3f50700c3740156b1fce34afd16daef4c5e2216baef1eb
              • Instruction Fuzzy Hash: 1571AD755083409BC710DF29C885B5BBBE8EF89318F004A2EF9559B3D1DB79E904CB9A
              Function 0040B630 Relevance: 7.6, APIs: 5, Instructions: 134COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 921d963484a0f24023e8b0ed756603cd43f3e670396ebb5dd8baaba6dc396dba
              • Instruction ID: 200cde4b7716ab372a32e0af60de9c0c255e40a42671f56f97bf4568e6b888bd
              • Opcode Fuzzy Hash: 921d963484a0f24023e8b0ed756603cd43f3e670396ebb5dd8baaba6dc396dba
              • Instruction Fuzzy Hash: 25416BB5600A04AFDB208F29CC81AA6B7F5FF48310B14466EED99977A1D736ED50CB84
              Function 0042CB9A Relevance: 7.6, APIs: 5, Instructions: 127windowCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0042CBA4
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 00420EED: __EH_prolog3_GS.LIBCMT ref: 00420EF4
                • Part of subcall function 00420B07: __EH_prolog3_GS.LIBCMT ref: 00420B11
              • SendMessageW.USER32(00000000,00000401,00000000,00000001), ref: 0042CCC4
              • GetDlgItem.USER32(00000000,0000012D), ref: 0042CD19
              • SendMessageW.USER32(00000000,0000000F,00000000,00000000), ref: 0042CD24
              • SendMessageW.USER32(00000000,00000401,00000000,00000000), ref: 0042CD30
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_MessageSend$ErrorLast$Item
              • String ID:
              • API String ID: 3498289266-0
              • Opcode ID: 4fcf521e8b01b8954e8545d25a14eb8f85c353755ea2517a2aacfa78ab5f13aa
              • Instruction ID: 74c895e59228dd0e2bc847fe90d060021c497d6d0895da4c98198e93d01b7bb9
              • Opcode Fuzzy Hash: 4fcf521e8b01b8954e8545d25a14eb8f85c353755ea2517a2aacfa78ab5f13aa
              • Instruction Fuzzy Hash: FC51A370A00258EFDB20EBA5CC85BDE77B8BF01308F0000AEF145A7192DB786E08CB59
              Function 0049C52F Relevance: 7.6, APIs: 5, Instructions: 126COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: dd5356b6c49b9a9effbfff91619fe88c7ba85fae8116e07157ad891e2f8401f5
              • Instruction ID: be6947d3aed95e0217deb2985b22000ca4a325fa887b3d8cd51b1a2123c816da
              • Opcode Fuzzy Hash: dd5356b6c49b9a9effbfff91619fe88c7ba85fae8116e07157ad891e2f8401f5
              • Instruction Fuzzy Hash: A241F8B1600102BBCF288F55C8C1A66BBB5FF1A355B20447FE982D6242E379CA51CB9C
              Function 00440819 Relevance: 7.6, APIs: 5, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • CharNextW.USER32(?,?,00000000,?,?,?,?,0043FD0C,?,17703A82,?,?,?,?,?,004AA98E), ref: 00440854
              • CharNextW.USER32(?,?,?,00000000,?,?,?,?,0043FD0C,?,17703A82), ref: 004408DA
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CharNext
              • String ID:
              • API String ID: 3213498283-0
              • Opcode ID: dd292b9cc1bfbb298a885f9bc7a21fb81f5f35f971ac2af6582b91f4097db3a8
              • Instruction ID: 6dcca1d0be940c81f6a039729ec60f37e08102729f74833aef59425799db69da
              • Opcode Fuzzy Hash: dd292b9cc1bfbb298a885f9bc7a21fb81f5f35f971ac2af6582b91f4097db3a8
              • Instruction Fuzzy Hash: BE41A075A00306DFEB209F68C98056AB7F5FF58704764052EEA89DB315E738AD90CB98
              Function 0048D854 Relevance: 7.6, APIs: 5, Instructions: 87stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch_GS.LIBCMT ref: 0048D85E
              • EnterCriticalSection.KERNEL32(00000090,0048D67D,?,00000000), ref: 0048D86E
              • _strncpy.LIBCMT ref: 0048D89B
              • lstrlenA.KERNEL32(00000000), ref: 0048D8A4
                • Part of subcall function 004425B2: __EH_prolog3.LIBCMT ref: 004425B9
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
                • Part of subcall function 0044859C: __EH_prolog3.LIBCMT ref: 004485A3
              • LeaveCriticalSection.KERNEL32(004BAB98,40000000,00000001,00000080,00000004,00000000,00000000,004EEC44,00000000), ref: 0048D97F
                • Part of subcall function 00448742: __EH_prolog3_GS.LIBCMT ref: 0044874C
                • Part of subcall function 00448742: __CxxThrowException@8.LIBCMT ref: 004487A2
                • Part of subcall function 00448742: SetFilePointer.KERNEL32(?,?,00000000,?,00000088,0044853C,00000000,00000000,00000000,00000000,00000000,0000000C,00448616), ref: 004487AE
                • Part of subcall function 00448742: GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004487F2
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorH_prolog3Last$CriticalSection$EnterException@8FileH_prolog3_H_prolog3_catch_LeavePointerThrow_strncpylstrlen
              • String ID:
              • API String ID: 817104565-0
              • Opcode ID: 4a3e91de9d0796a91251f94a37f42919d91c24ee498592b99a8091e080047cce
              • Instruction ID: 08cd8ab6bf282aff3ca8ff81286ae8cafdb47f6d8a707a820c006c1ef946dc39
              • Opcode Fuzzy Hash: 4a3e91de9d0796a91251f94a37f42919d91c24ee498592b99a8091e080047cce
              • Instruction Fuzzy Hash: 1631C470900258AEEB11EBA2DD95FDE7B78AF55308F00409EF60962183DF781F49CB29
              Function 0041F62B Relevance: 7.6, APIs: 5, Instructions: 79stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0041F635
              • GetTempPathW.KERNEL32(00000104,?), ref: 0041F658
                • Part of subcall function 0041FCB4: __EH_prolog3.LIBCMT ref: 0041FCBB
                • Part of subcall function 0041FCB4: SysStringLen.OLEAUT32(?), ref: 0041FCD8
              • GetTempFileNameW.KERNEL32(?,?,00000000,?,?), ref: 0041F689
                • Part of subcall function 0041DFC0: __EH_prolog3.LIBCMT ref: 0041DFC7
                • Part of subcall function 0041DFC0: GetLastError.KERNEL32(00000004,0041E18C), ref: 0041DFE4
                • Part of subcall function 0041DFC0: SysFreeString.OLEAUT32(?), ref: 0041DFF1
                • Part of subcall function 0041DFC0: SetLastError.KERNEL32(?), ref: 0041E00B
                • Part of subcall function 0041DFC0: GetLastError.KERNEL32 ref: 0041E01E
                • Part of subcall function 0041DFC0: SysFreeString.OLEAUT32(?), ref: 0041E043
                • Part of subcall function 0041DFC0: SetLastError.KERNEL32(?), ref: 0041E057
                • Part of subcall function 0041DF79: __EH_prolog3.LIBCMT ref: 0041DF80
              • lstrcatW.KERNEL32(?,?,?,?,00000001), ref: 0041F6E5
                • Part of subcall function 0041FC18: __EH_prolog3.LIBCMT ref: 0041FC1F
                • Part of subcall function 0041FC18: SysStringLen.OLEAUT32(?), ref: 0041FC3D
              • lstrcatW.KERNEL32(?,?,?,00000000), ref: 0041F714
                • Part of subcall function 0041F044: SysFreeString.OLEAUT32(?), ref: 0041F054
                • Part of subcall function 0041F044: SysAllocString.OLEAUT32(?), ref: 0041F05F
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String$ErrorH_prolog3Last$Free$Templstrcat$AllocFileH_prolog3_NamePath
              • String ID:
              • API String ID: 2174228965-0
              • Opcode ID: 2d42efe95e813f04f01b48fce8dcb6dbdd44a1e5df4e54be3e2b290c42b0e793
              • Instruction ID: 39ed44da8175410fd0c7801f25455e8e5ca92ec0a27e0fc13d37726c816435e5
              • Opcode Fuzzy Hash: 2d42efe95e813f04f01b48fce8dcb6dbdd44a1e5df4e54be3e2b290c42b0e793
              • Instruction Fuzzy Hash: D33130B190021C9BDB15DB50CC85BEDB7BCAF55308F4040EAA209A7192EB785BC9DF99
              Function 00422159 Relevance: 7.6, APIs: 5, Instructions: 74fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00422160
              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,?,0000000C), ref: 004221D1
              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,0000000C), ref: 004221EB
                • Part of subcall function 00421F9C: __EH_prolog3_GS.LIBCMT ref: 00421FA6
                • Part of subcall function 00421F9C: _memmove.LIBCMT ref: 0042207A
                • Part of subcall function 00421F9C: _memmove.LIBCMT ref: 0042209A
                • Part of subcall function 00421F9C: GetWindowDC.USER32(00000000), ref: 004220A4
                • Part of subcall function 00421F9C: CreateDIBitmap.GDI32(00000000,00000000,00000004,?,00000000,00000000), ref: 004220BC
                • Part of subcall function 00421F9C: ReleaseDC.USER32(00000000,00000000), ref: 004220E7
              • CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,0000000C), ref: 004221B2
                • Part of subcall function 00404BF0: CloseHandle.KERNELBASE(?,00000000,0048975B,?,0000006C,0048BECB,004881FF,?,?), ref: 00404C03
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,?,0000000C), ref: 00422191
                • Part of subcall function 00408A90: CloseHandle.KERNELBASE(?,?,00412E65,?,00000008,00000000,?,00413077,000000FF,?), ref: 00408AA4
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$Create$CloseHandle_memmove$BitmapH_prolog3H_prolog3_MappingReleaseSizeViewWindow
              • String ID:
              • API String ID: 2693691320-0
              • Opcode ID: 7775f63d3773630f2adf36f83edddffa7f0e404b0c0747b2ca6a75b6a7535fb5
              • Instruction ID: 46b88f8d729d28e36f059bc72c0a1bdf39ffc3abe654908c3129e341ef7d5e54
              • Opcode Fuzzy Hash: 7775f63d3773630f2adf36f83edddffa7f0e404b0c0747b2ca6a75b6a7535fb5
              • Instruction Fuzzy Hash: C9219270900215AEE700EB748D06BBEBBB8AF51314F50022EB921F31E1DBB84E059769
              Function 00462818 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _malloc.LIBCMT ref: 00462824
                • Part of subcall function 004576A6: __FF_MSGBANNER.LIBCMT ref: 004576BD
                • Part of subcall function 004576A6: __NMSG_WRITE.LIBCMT ref: 004576C4
                • Part of subcall function 004576A6: RtlAllocateHeap.NTDLL(006A0000,00000000,00000001,00000000,?,00000000,?,00459194,00000008,00000008,00000008,?,?,00467F03,00000018,004E4738), ref: 004576E9
              • _free.LIBCMT ref: 00462837
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AllocateHeap_free_malloc
              • String ID:
              • API String ID: 1020059152-0
              • Opcode ID: c6e1a918cbddec5683ad424da7463536b74b3693814b4aae70977b0f2e0f23e4
              • Instruction ID: 3966e896475cdb20e39c47b61b6c8a4b5c6e7763bc7bbedcad151e2e9c612a5f
              • Opcode Fuzzy Hash: c6e1a918cbddec5683ad424da7463536b74b3693814b4aae70977b0f2e0f23e4
              • Instruction Fuzzy Hash: D111C132504A15BBCB343F75BE4465A3798AF10375B12463BFC0497292FEBDC854829E
              Function 0043F555 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043F579
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043F587
              • GetTickCount.KERNEL32 ref: 0043F591
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043F5B0
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043F5D9
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CountTick
              • String ID:
              • API String ID: 404621862-0
              • Opcode ID: 07eb1b281d2973e258537c62248dd9eba29ac6f4c608e2474321b16c4f3a1ca5
              • Instruction ID: 2f9e71e33a987069ebd0a22b7244f56e385b2d3901c7a0de6a6e9d4e7d303c8a
              • Opcode Fuzzy Hash: 07eb1b281d2973e258537c62248dd9eba29ac6f4c608e2474321b16c4f3a1ca5
              • Instruction Fuzzy Hash: E3216D71600305AFD7359F25C881B6777B9EB88711F10492EF9428B251C735E815CB64
              Function 004505DE Relevance: 7.6, APIs: 5, Instructions: 59stringCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: lstrcpy$CharNext_wcsrchr
              • String ID:
              • API String ID: 2742890867-0
              • Opcode ID: f8216447f51ce6464761e52a3f16da3c7357693433fadeb8d627f2507f6c9705
              • Instruction ID: 808b5a1f1bf49a998a3dd79559edde3530a5fe8772d1c5fe9b731be9032a88f8
              • Opcode Fuzzy Hash: f8216447f51ce6464761e52a3f16da3c7357693433fadeb8d627f2507f6c9705
              • Instruction Fuzzy Hash: 7D1191759002189FC7A1DF64DC90AAFB7F8FF84710F00816AA945D3241DE349D588B98
              Function 004904D1 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
              • std::exception::exception.LIBCMT ref: 00452C6E
              • __CxxThrowException@8.LIBCMT ref: 00452C83
              • __CxxThrowException@8.LIBCMT ref: 00452CA7
              • std::exception::exception.LIBCMT ref: 00452CC0
              • __CxxThrowException@8.LIBCMT ref: 00452CD5
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Exception@8Throw$std::exception::exception$_malloc
              • String ID:
              • API String ID: 3942750879-0
              • Opcode ID: 2b69a5f085a8fd56a52e04a58f0ad37813a3ac5625a774aeb4b5a8fbe9ced85a
              • Instruction ID: fe0d907686511bbf02f766c5fdb17e1ab7d1fcf1098cbe20899e777b1f1813ae
              • Opcode Fuzzy Hash: 2b69a5f085a8fd56a52e04a58f0ad37813a3ac5625a774aeb4b5a8fbe9ced85a
              • Instruction Fuzzy Hash: E711867480020DAECB04EFA5D455ADD77B8AF04305F5084AAAA1597643EB78A60CCBA9
              Function 004810E4 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
              • std::exception::exception.LIBCMT ref: 00452C6E
              • __CxxThrowException@8.LIBCMT ref: 00452C83
              • __CxxThrowException@8.LIBCMT ref: 00452CA7
              • std::exception::exception.LIBCMT ref: 00452CC0
              • __CxxThrowException@8.LIBCMT ref: 00452CD5
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Exception@8Throw$std::exception::exception$_malloc
              • String ID:
              • API String ID: 3942750879-0
              • Opcode ID: cc68fdb84a272e7eb5458dd09d0b382a9545febf295409d47bdc402346ceea09
              • Instruction ID: 655585722956cd4c7a6445dd2a31c39c363cfc8a21a6e1181c56ed70c74d8c6d
              • Opcode Fuzzy Hash: cc68fdb84a272e7eb5458dd09d0b382a9545febf295409d47bdc402346ceea09
              • Instruction Fuzzy Hash: 8311B674C0020DAECB04EFA5D856ADD77B8AF04305F5084ABE91497643EB78964C8BA9
              Function 004810B9 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
              • std::exception::exception.LIBCMT ref: 00452C6E
              • __CxxThrowException@8.LIBCMT ref: 00452C83
              • __CxxThrowException@8.LIBCMT ref: 00452CA7
              • std::exception::exception.LIBCMT ref: 00452CC0
              • __CxxThrowException@8.LIBCMT ref: 00452CD5
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Exception@8Throw$std::exception::exception$_malloc
              • String ID:
              • API String ID: 3942750879-0
              • Opcode ID: bc28b5cc8982446ae919cbda8fcc220ce26516399623f21bb7b77c4ac48f09c2
              • Instruction ID: 06e4040b7205177d7b6272d8f686a55e0b09f1b14acd408a805c5cfe7236b662
              • Opcode Fuzzy Hash: bc28b5cc8982446ae919cbda8fcc220ce26516399623f21bb7b77c4ac48f09c2
              • Instruction Fuzzy Hash: 4511B67480020DAECB04EFA6D855ADD77B8AF00305F5085ABA91497652EB78964CCBA9
              Function 0045C6A1 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00459419: __getptd_noexit.LIBCMT ref: 0045941A
                • Part of subcall function 00459419: __amsg_exit.LIBCMT ref: 00459427
              • __amsg_exit.LIBCMT ref: 0045C6CE
              • __lock.LIBCMT ref: 0045C6DE
              • InterlockedDecrement.KERNEL32(?), ref: 0045C6FB
              • _free.LIBCMT ref: 0045C70E
              • InterlockedIncrement.KERNEL32(006BDB60), ref: 0045C726
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock_free
              • String ID:
              • API String ID: 1231874560-0
              • Opcode ID: d150c55eb6278abc3d3909a3d3dc3c61cb6a0b4a98d1c7b441e45496be070e94
              • Instruction ID: 9cdb26db67b9f9af3d9d971090041b5a17e6bf024fc80015439ef79198a14352
              • Opcode Fuzzy Hash: d150c55eb6278abc3d3909a3d3dc3c61cb6a0b4a98d1c7b441e45496be070e94
              • Instruction Fuzzy Hash: E1018E32901722AFD710AF66948675E7360AB08766F15001FEC006B693DB3C6949CFDD
              Function 0040FAC6 Relevance: 7.5, APIs: 5, Instructions: 46fileCOMMON
              Download Yara Rule
              APIs
              • GetFileSize.KERNEL32(?,00000000,00000000,?,?,?,0040FB59,00000000,?,?,0044E024,?,00000000,?), ref: 0040FAD2
              • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,?,0040FB59,00000000,?,?,0044E024,?,00000000,?), ref: 0040FAE4
              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,?,?,0040FB59,00000000,?,?,0044E024,?,00000000,?), ref: 0040FAF7
              • UnmapViewOfFile.KERNEL32(00000000,?,?), ref: 0040FB15
              • CloseHandle.KERNEL32(00000000,?,?,0040FB59,00000000,?,?,0044E024,?,00000000,?), ref: 0040FB1C
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$View$CloseCreateHandleMappingSizeUnmap
              • String ID:
              • API String ID: 1558290345-0
              • Opcode ID: 14e5fd339c3dc50f903d33560d862fb515e8aff20ad8573d30ea29675818bbea
              • Instruction ID: a5081dec421e36e23c687878ce9ca6f9d9ef74faa4089bc7a116c8f38561c15f
              • Opcode Fuzzy Hash: 14e5fd339c3dc50f903d33560d862fb515e8aff20ad8573d30ea29675818bbea
              • Instruction Fuzzy Hash: 24F0C232101224BBC7311BA6DC4DDAB7FBDEF867B0B090138FA0992251D6798900C7E4
              Function 0045CE68 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00459419: __getptd_noexit.LIBCMT ref: 0045941A
                • Part of subcall function 00459419: __amsg_exit.LIBCMT ref: 00459427
              • __calloc_crt.LIBCMT ref: 0045D4B1
                • Part of subcall function 00459134: __calloc_impl.LIBCMT ref: 00459143
                • Part of subcall function 00459134: Sleep.KERNEL32(00000000,?,00459459,00000001,000003BC), ref: 0045915A
              • __lock.LIBCMT ref: 0045D4E7
              • ___addlocaleref.LIBCMT ref: 0045D4F3
              • __lock.LIBCMT ref: 0045D507
              • InterlockedIncrement.KERNEL32(?), ref: 0045D517
                • Part of subcall function 00456505: __getptd_noexit.LIBCMT ref: 00456505
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: __getptd_noexit__lock$IncrementInterlockedSleep___addlocaleref__amsg_exit__calloc_crt__calloc_impl
              • String ID:
              • API String ID: 2144732038-0
              • Opcode ID: c49ef88791390e13127093d6cc3f85d5df9b1cddf84d4ddcafe85a0cfe6d9598
              • Instruction ID: 11cbfee4697e5afd854daa91094f733d64c8bd2a66b2166fcb71280fed3cfbee
              • Opcode Fuzzy Hash: c49ef88791390e13127093d6cc3f85d5df9b1cddf84d4ddcafe85a0cfe6d9598
              • Instruction Fuzzy Hash: E7016971941305FAE720BFA6980271C77A0AF0472AF21454FF845A72C2EA7849488A5A
              Function 004517F0 Relevance: 7.5, APIs: 5, Instructions: 44fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 004517F7
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 0048376D: __EH_prolog3_GS.LIBCMT ref: 00483777
              • SetErrorMode.KERNEL32(00008001,0000000A), ref: 00451847
              • SetFileAttributesW.KERNEL32(0000000A,00000080), ref: 00451851
              • DeleteFileW.KERNEL32(0000000A), ref: 0045185A
              • SetErrorMode.KERNEL32(00000000), ref: 0045186A
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFileH_prolog3Mode$AttributesDeleteH_prolog3_
              • String ID:
              • API String ID: 2831870221-0
              • Opcode ID: ca7cbd7f65a39a15ca4a809c088587ebb358824854dc54576db21781bed6f761
              • Instruction ID: 85cbf667083dcbcb0543f8f323c86059742897fe501ff5fb73c9be89221a9799
              • Opcode Fuzzy Hash: ca7cbd7f65a39a15ca4a809c088587ebb358824854dc54576db21781bed6f761
              • Instruction Fuzzy Hash: 28012672A00204BBEF107FA5CD0676E3F61AF40755F004126FE059B0A2CB788A59CBD9
              Function 0043EB4A Relevance: 7.5, APIs: 5, Instructions: 39COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(?), ref: 0043EB52
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0043EB5F
              • MulDiv.KERNEL32(?,00000000), ref: 0043EB69
              • ReleaseDC.USER32(?,00000000), ref: 0043EB77
              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043EB95
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CapsCreateDeviceFontRelease
              • String ID:
              • API String ID: 2367478762-0
              • Opcode ID: 117a39c6cfdfd9955a7946687ab38b50b50efd348e6db37c0b7d595c4b48b1ab
              • Instruction ID: f8b56a76b3bc36bd6b9938f20cd9c4afc0bce2141d620358a544b2fcf64dcb70
              • Opcode Fuzzy Hash: 117a39c6cfdfd9955a7946687ab38b50b50efd348e6db37c0b7d595c4b48b1ab
              • Instruction Fuzzy Hash: 95F098B2100119BFEB122FA1EC08CBF3F6DEB49761B018121FE05D5060C73A8D21ABB5
              Function 0048E0FA Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180memoryCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0048E104
              • SysAllocString.OLEAUT32(?), ref: 0048E125
              • SysFreeString.OLEAUT32(00000000), ref: 0048E2DE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String$AllocFreeH_prolog3_
              • String ID:
              • API String ID: 1289132702-410699589
              • Opcode ID: fec6d16049ee690a86d3a6f6a6978ac4e1890f128bd53ef15aef64d9cbfd5480
              • Instruction ID: 870e273d5633c0d8d17c151b36a7d15d2615aa377fee9a5c48e39589fdff98ce
              • Opcode Fuzzy Hash: fec6d16049ee690a86d3a6f6a6978ac4e1890f128bd53ef15aef64d9cbfd5480
              • Instruction Fuzzy Hash: 7A61E130A042149FCF24FFAAC9846ADB7B5BF45304F1049AFE450DB2A1D7789D86CB99
              Function 00420B07 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 178COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00420B11
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 00420177: __EH_prolog3_GS.LIBCMT ref: 0042017E
                • Part of subcall function 00420AA0: __EH_prolog3.LIBCMT ref: 00420AA7
                • Part of subcall function 00416398: __EH_prolog3_GS.LIBCMT ref: 004163A2
                • Part of subcall function 004202D0: __EH_prolog3_GS.LIBCMT ref: 004202D7
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                • Part of subcall function 0048FE24: __EH_prolog3.LIBCMT ref: 0048FE2B
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 00411456: __EH_prolog3.LIBCMT ref: 0041145D
                • Part of subcall function 00491A77: __EH_prolog3_GS.LIBCMT ref: 00491A81
                • Part of subcall function 004114D7: __EH_prolog3_GS.LIBCMT ref: 004114DE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$ErrorH_prolog3Last$FreeString
              • String ID: %ld$.ini$0x%04x
              • API String ID: 4231056545-494970429
              • Opcode ID: 0223b1ec23d6457000d6902a95a6a636135de35da2ec7cc258d22ddff18885fc
              • Instruction ID: 2a1bc4009a08cd4a4de62d5e240199deb581e492e9112646178f6e8f8c6b6d99
              • Opcode Fuzzy Hash: 0223b1ec23d6457000d6902a95a6a636135de35da2ec7cc258d22ddff18885fc
              • Instruction Fuzzy Hash: 9571AD7190026CEACB10EBE4CC55BEEBBB8AF15308F5000DEE505B7192DB785B48DBA5
              Function 004460F5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 139COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004460FF
                • Part of subcall function 0044477D: __EH_prolog3_catch.LIBCMT ref: 00444784
                • Part of subcall function 0044477D: lstrcmpW.KERNEL32(?,004CBE7C,?,?,004CBE7C,?,?,00000004,00446CDB,Startup,Source,00000001,?,00000400,00000452), ref: 004447AC
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_H_prolog3_catch_malloclstrcmp
              • String ID: Creating setup dialog...$Startup$session.cpp
              • API String ID: 43970051-4223746603
              • Opcode ID: ed7c238a1d26bc48a479a6c976c70b7adac714354be6b098644984d91c17ef08
              • Instruction ID: 3bc1abf04e4304a759b83260c8e85aaad1538417b62b76a7dbfa7ddfa8957653
              • Opcode Fuzzy Hash: ed7c238a1d26bc48a479a6c976c70b7adac714354be6b098644984d91c17ef08
              • Instruction Fuzzy Hash: 97518E30A01258EBDB25EB60CC59BDDB7B8AB14308F4002EBE119A31E2DB785F84CF55
              Function 00432B09 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00432B13
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 004329EA: __EH_prolog3_GS.LIBCMT ref: 004329F1
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 004160CC: __EH_prolog3.LIBCMT ref: 004160D3
                • Part of subcall function 00416071: SysStringLen.OLEAUT32(?), ref: 0041607E
                • Part of subcall function 00416071: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00416098
              • GetModuleFileNameW.KERNEL32(00000000,00000000,00000400,?,00000400,?,?,00000000,00000000,ISSetup.dll,?,00000001,000000A8,0043481B,?), ref: 00432BAF
                • Part of subcall function 00411BD3: __EH_prolog3_GS.LIBCMT ref: 00411BDA
                • Part of subcall function 00411BD3: GetLastError.KERNEL32(00000038,004212CA), ref: 00411BE1
                • Part of subcall function 00411BD3: SetLastError.KERNEL32(00000000), ref: 00411C37
                • Part of subcall function 00416398: __EH_prolog3_GS.LIBCMT ref: 004163A2
                • Part of subcall function 004114D7: __EH_prolog3_GS.LIBCMT ref: 004114DE
                • Part of subcall function 004202D0: __EH_prolog3_GS.LIBCMT ref: 004202D7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorH_prolog3_Last$String$FreeH_prolog3$AllocFileModuleName
              • String ID: ISSetup.dll$ISSetup.dll
              • API String ID: 3766261395-1816852773
              • Opcode ID: 4c603bffb64d255a5f8b4f924cb4008589fddd25f61d2c4b9bac6c2afc2bb472
              • Instruction ID: 98b6e5ada16263499476255f4c7b45ba89e14761875de1b13d5ab784ecc141e8
              • Opcode Fuzzy Hash: 4c603bffb64d255a5f8b4f924cb4008589fddd25f61d2c4b9bac6c2afc2bb472
              • Instruction Fuzzy Hash: 4D41B571900218EEDB00EBA1CC91BDEB7B8AF11318F10419EF541A71E2EB781F49CB55
              Function 0043B891 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0043B898
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 0041918F: __EH_prolog3_GS.LIBCMT ref: 00419196
                • Part of subcall function 0042E688: __EH_prolog3_GS.LIBCMT ref: 0042E68F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$H_prolog3_$FreeString
              • String ID: /n %s$:InstanceId%d.mst$MSINEWINSTANCE=1
              • API String ID: 1274762985-3737453586
              • Opcode ID: 954b9233913db525df62834b6f5a66d48ee9831916f2c2842b43756601a273c0
              • Instruction ID: 6e15ba8a9de3d6ba0946ad3807d2bfc8d35357059a77df1342450b390baa121b
              • Opcode Fuzzy Hash: 954b9233913db525df62834b6f5a66d48ee9831916f2c2842b43756601a273c0
              • Instruction Fuzzy Hash: CB414D71804258EBCF14DFE5C891ADEBBB8BF14308F50416FE105A7182DB786A0ACB99
              Function 00419BC5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00419BCF
                • Part of subcall function 00419F87: __EH_prolog3_GS.LIBCMT ref: 00419F8E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_
              • String ID: MsiVersion
              • API String ID: 2427045233-1669961159
              • Opcode ID: e845e11b25e5bcec9cf6bcbf30aed9bb051c92cc58662730c3413884b88dd943
              • Instruction ID: 7eb406b9e350626db76e38af4fda3895033c4849fbee3d562dc420d23f4b54e7
              • Opcode Fuzzy Hash: e845e11b25e5bcec9cf6bcbf30aed9bb051c92cc58662730c3413884b88dd943
              • Instruction Fuzzy Hash: DC318471A00318EFDF14DBA4CC95BDDB3B9AF45304F1400AAE545AB192DB789E88CB65
              Function 00489CCD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00489CD4
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
                • Part of subcall function 0048B489: __EH_prolog3.LIBCMT ref: 0048B490
                • Part of subcall function 00411357: __EH_prolog3.LIBCMT ref: 0041135E
                • Part of subcall function 00411357: GetLastError.KERNEL32(00000004,00411629,00000000,?,00000000,00000004,0041643B,-00000004,?,00000001,?,00000000), ref: 00411380
                • Part of subcall function 00411357: SetLastError.KERNEL32(?,00000000,?), ref: 004113C1
                • Part of subcall function 004114D7: __EH_prolog3_GS.LIBCMT ref: 004114DE
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 00487F05: __EH_prolog3_GS.LIBCMT ref: 00487F0F
                • Part of subcall function 00487F05: _memset.LIBCMT ref: 00487FA9
                • Part of subcall function 00487F05: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000044,004F4918,?,00000000,00489D99,0000000A,00000000), ref: 00488021
                • Part of subcall function 00487F05: GetLastError.KERNEL32 ref: 0048803C
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$H_prolog3$H_prolog3_$FreeString$CreateProcess_memset
              • String ID: /REGSERVER$ /UNREGSERVER$open
              • API String ID: 2413291776-1423703008
              • Opcode ID: c2e26c7bbb870264f387e15e29b3444425d6726a186b3f44e1bb4407a56d9d46
              • Instruction ID: 0f0980fa12772bffb5116e44359a5522e427a7295a9deff819c1c77e5f90da5f
              • Opcode Fuzzy Hash: c2e26c7bbb870264f387e15e29b3444425d6726a186b3f44e1bb4407a56d9d46
              • Instruction Fuzzy Hash: 2F210A74E00308AEDB00EBB5C853BEEBBB89F45704F50005EF9049B291D7B94A49C7DA
              Function 00444BFA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00444C4A
                • Part of subcall function 00419EA4: __EH_prolog3_GS.LIBCMT ref: 00419EAB
              • wsprintfW.USER32 ref: 00444CC7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3__memsetwsprintf
              • String ID: %s/%s$Location
              • API String ID: 2010508751-42320356
              • Opcode ID: aad1155328fded39337f7716f6734bbcdaeebd1cbbbcdd1b28a7c4e7298bff2f
              • Instruction ID: ccc8ca5a96899e5f6f7693de7d25ab0e389f27b05da9690d26ef4fbcf2b5d2f0
              • Opcode Fuzzy Hash: aad1155328fded39337f7716f6734bbcdaeebd1cbbbcdd1b28a7c4e7298bff2f
              • Instruction Fuzzy Hash: 65214172900218AFD710EB54DC45FEAB3BCFB08755F0045AEF555E3181EB78AB448BA4
              Function 0049941A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
              Download Yara Rule
              Strings
              • \StringFileInfo\%04hX%04hX\, xrefs: 00499480
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID:
              • String ID: \StringFileInfo\%04hX%04hX\
              • API String ID: 0-1885460495
              • Opcode ID: ef9ae63cabab7836e9a600d4591bc923ef365cab260d8dfa143ad802575a622e
              • Instruction ID: 76a3e3303e5daff5538b5aa41b567c7503b4e1f411639340a15f551154dc3713
              • Opcode Fuzzy Hash: ef9ae63cabab7836e9a600d4591bc923ef365cab260d8dfa143ad802575a622e
              • Instruction Fuzzy Hash: 1D2174B590412CBBCF11DB65CC84AEAB7BCBB14304F5001BBE906D2541D739EE558BA4
              Function 00487A20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00487A2A
                • Part of subcall function 00480310: _memset.LIBCMT ref: 00480339
                • Part of subcall function 004114D7: __EH_prolog3_GS.LIBCMT ref: 004114DE
                • Part of subcall function 0047F829: __EH_prolog3_GS.LIBCMT ref: 0047F833
                • Part of subcall function 0047F829: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 0047F856
                • Part of subcall function 0047F829: GetProcAddress.KERNEL32(00000000,GetSystemWindowsDirectoryW), ref: 0047F86A
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
                • Part of subcall function 004202D0: __EH_prolog3_GS.LIBCMT ref: 004202D7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$ErrorLast$AddressH_prolog3HandleModuleProc_memset
              • String ID: 8ML$Kernel32.dll$Z
              • API String ID: 1928657999-2992959837
              • Opcode ID: 6bc90aabb55cde9e3d2a2569f4d8d9a9102b667b1077b5df9c319df04fcf48a3
              • Instruction ID: 1e0f28ea19960c147ef4aef0344057e49b5ba6a1c49b1f17c6537c6340cc4267
              • Opcode Fuzzy Hash: 6bc90aabb55cde9e3d2a2569f4d8d9a9102b667b1077b5df9c319df04fcf48a3
              • Instruction Fuzzy Hash: 6C2171319002189EDB54FB95C8A2BDD7378AF14708F5084DEE14967192EFBC6E8DCB19
              Function 0042A649 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CountH_prolog3_Tick
              • String ID: SplashTime$Startup
              • API String ID: 2349883465-926283664
              • Opcode ID: 12b2d0ac2c5f1c3a0b9bce0a1a40ad8adbd2e28c211df2dbba33a8c70e3e0486
              • Instruction ID: 78a2c4816e7d03714707269e044850bfc6c89e7c725c2d4af717a1c6045b1a5f
              • Opcode Fuzzy Hash: 12b2d0ac2c5f1c3a0b9bce0a1a40ad8adbd2e28c211df2dbba33a8c70e3e0486
              • Instruction Fuzzy Hash: BB210330A04214DFEB14CBB4D845BEE77B8AF01308F65016EE441AB2D2CB7C4A09CB5A
              Function 004441DC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
              Download Yara Rule
              APIs
              Strings
              • C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}, xrefs: 00444279
              • Extracting setup.ini..., xrefs: 0044421A
              • session.cpp, xrefs: 00444204
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_
              • String ID: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}$Extracting setup.ini...$session.cpp
              • API String ID: 2427045233-3073965608
              • Opcode ID: ca9d23147d25e8c2f2ac39ef1001cdd40c30f750eb0bcf6e9c8a5e592985ef77
              • Instruction ID: d0268518ff8fa17a0963b11602a10a4f9dc1bbdb3a8017271be4c7084b2f6a4d
              • Opcode Fuzzy Hash: ca9d23147d25e8c2f2ac39ef1001cdd40c30f750eb0bcf6e9c8a5e592985ef77
              • Instruction Fuzzy Hash: 4E119170A40248AEEB10DBA0CD96BEE7268AB50348F60016FB101671D2DBBC5A09CB2C
              Function 0041FC18 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0041FC1F
                • Part of subcall function 0041FAD7: __EH_prolog3.LIBCMT ref: 0041FADE
                • Part of subcall function 0041FAD7: SysStringLen.OLEAUT32(?), ref: 0041FB12
              • SysStringLen.OLEAUT32(?), ref: 0041FC3D
                • Part of subcall function 0041DFC0: __EH_prolog3.LIBCMT ref: 0041DFC7
                • Part of subcall function 0041DFC0: GetLastError.KERNEL32(00000004,0041E18C), ref: 0041DFE4
                • Part of subcall function 0041DFC0: SysFreeString.OLEAUT32(?), ref: 0041DFF1
                • Part of subcall function 0041DFC0: SetLastError.KERNEL32(?), ref: 0041E00B
                • Part of subcall function 0041DFC0: GetLastError.KERNEL32 ref: 0041E01E
                • Part of subcall function 0041DFC0: SysFreeString.OLEAUT32(?), ref: 0041E043
                • Part of subcall function 0041DFC0: SetLastError.KERNEL32(?), ref: 0041E057
                • Part of subcall function 00420034: SysStringLen.OLEAUT32(00000000), ref: 00420044
              • SysStringLen.OLEAUT32(00000000), ref: 0041FC8C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String$ErrorLast$H_prolog3$Free
              • String ID: .
              • API String ID: 3302090590-248832578
              • Opcode ID: c5dd9ebb75e432bdc30688389138ca9c26ddb6d7e99f26c87e4f843c107bd994
              • Instruction ID: 9ebf9d3734a05f6d3d32de429d763796844e64ff2af62e311d6e2dd008a7483b
              • Opcode Fuzzy Hash: c5dd9ebb75e432bdc30688389138ca9c26ddb6d7e99f26c87e4f843c107bd994
              • Instruction Fuzzy Hash: A611A370510218AFDB00EFA5CC94BEE76A8FF05329F50472AB421A61D1CBBC4E89C7A5
              Function 0044648C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44stringCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 004464BB
                • Part of subcall function 0041292E: __EH_prolog3_GS.LIBCMT ref: 00412935
              • lstrlenW.KERNEL32(?,Startup,ClickOncePackage,004CBE7C,?,00000400), ref: 004464ED
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3__memsetlstrlen
              • String ID: ClickOncePackage$Startup
              • API String ID: 1437836783-2858441910
              • Opcode ID: a3e9239d73f8f947f697c2faaee97a8466134166c9b3923c6a10cc4aad3d7d01
              • Instruction ID: 71bb5c11c73041e3d5b523a4a62cfb505cf2155a218eef0a226eba7cbb3aa10f
              • Opcode Fuzzy Hash: a3e9239d73f8f947f697c2faaee97a8466134166c9b3923c6a10cc4aad3d7d01
              • Instruction Fuzzy Hash: 0101D065A40308BBD720EF749C46FE673ECFB04704F11547BA645E2281DA749E4C8798
              Function 00444B7C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00444B83
                • Part of subcall function 00419EA4: __EH_prolog3_GS.LIBCMT ref: 00419EAB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_
              • String ID: /qb$/qn$/quiet
              • API String ID: 2427045233-508938941
              • Opcode ID: 2d7835b0d6fc9d94ccdacda42985de8118e2e1c343910d06069950425bb03717
              • Instruction ID: 0410cd4f366a8c1c1b9a4780b58bd726496474ec7441b6e64866f6fc75c9b6b8
              • Opcode Fuzzy Hash: 2d7835b0d6fc9d94ccdacda42985de8118e2e1c343910d06069950425bb03717
              • Instruction Fuzzy Hash: AF017174D00208AADF14EFA5C8957DDB6B0EF84318F64412FE521AB1E1D7389D46CB18
              Function 004507E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004507F1
                • Part of subcall function 00420B07: __EH_prolog3_GS.LIBCMT ref: 00420B11
              • wsprintfW.USER32 ref: 00450833
              • wvsprintfW.USER32(?,?,00000000), ref: 0045084E
                • Part of subcall function 0044FF80: __EH_prolog3_GS.LIBCMT ref: 0044FF8A
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$ErrorFreeLastString$wsprintfwvsprintf
              • String ID: %d: %s
              • API String ID: 244791219-204819183
              • Opcode ID: 1afa885d4239810de2dafec58f627ee6c0abacfaeeb4bad3c867c910155bf452
              • Instruction ID: d246121e36d50b1b1d6b8c5854ab0b0d7950fea14567a59d4ff9f54d18053173
              • Opcode Fuzzy Hash: 1afa885d4239810de2dafec58f627ee6c0abacfaeeb4bad3c867c910155bf452
              • Instruction Fuzzy Hash: F70100B1900119EBDF20DBA4DC45BDD77B8BB04319F5042EAE608E6091DB389B99CF6C
              Function 00437390 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,0042E962,?,?,00000000,?,?,?,?,?,?), ref: 004373A0
              • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 004373B0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: Advapi32.dll$RegCreateKeyTransactedW
              • API String ID: 1646373207-2994018265
              • Opcode ID: 95b83407cac6d95d589862b5d5efe7fa374a8a5f08aff048290958b6954405a4
              • Instruction ID: a6fdfae8ee48dbaf1c6ae0a7cebf14b3c990189ed928773dee7d61eed636a793
              • Opcode Fuzzy Hash: 95b83407cac6d95d589862b5d5efe7fa374a8a5f08aff048290958b6954405a4
              • Instruction Fuzzy Hash: A7F04F32108209EBDF225F94DC04FE63BA5FF0C751F155426FE4090560C37AC860EB94
              Function 00440C91 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00440451,?,?), ref: 00440CA3
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00440CB3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: Advapi32.dll$RegDeleteKeyTransactedW
              • API String ID: 1646373207-2168864297
              • Opcode ID: fff659c11e7745b0ebb0635ea27bd69b64699f0492a24e3eb9d1ac8a46033688
              • Instruction ID: 20a12080304c718047a329c9ad47951ed9959a31c48b5e8dd4bc3693d4129083
              • Opcode Fuzzy Hash: fff659c11e7745b0ebb0635ea27bd69b64699f0492a24e3eb9d1ac8a46033688
              • Instruction Fuzzy Hash: FAF08232200200FB97252B6A9D48E67BBB8FFC1B62315423BF645D1510D63D8461E668
              Function 00401820 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401830
              • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00401840
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: Advapi32.dll$RegOpenKeyTransactedW
              • API String ID: 1646373207-3913318428
              • Opcode ID: 19e5653044568b2cb37c28b09935bd14a17fc332a701b8db469f1485e58ee876
              • Instruction ID: 3a4f37edbe01714f5880c00d2a767e189ac02baf8ade4d07473076841bc5c142
              • Opcode Fuzzy Hash: 19e5653044568b2cb37c28b09935bd14a17fc332a701b8db469f1485e58ee876
              • Instruction Fuzzy Hash: AEF05433100218ABDB116FA5EC05FD777A5EB04751F048437F901911B0C77AC9A0DBA4
              Function 00487B7A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(Advapi32.lib,IsTextUnicode), ref: 00487B8F
              • GetProcAddress.KERNEL32(00000000), ref: 00487B96
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: Advapi32.lib$IsTextUnicode
              • API String ID: 1646373207-3723215607
              • Opcode ID: 793e9621d0a1712b60a17438b2028e6e69bc75fdf2d967c3d6229f77cfd01630
              • Instruction ID: 58a8887619583b37c8c6b5488362d2b33d7bb6ba7ef27e25bb521dd997ed691d
              • Opcode Fuzzy Hash: 793e9621d0a1712b60a17438b2028e6e69bc75fdf2d967c3d6229f77cfd01630
              • Instruction Fuzzy Hash: 71E02B31108719B78F203FA08C16DAF7BAB9F417183288827FC2497280C63DE58097BD
              Function 00485310 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(Kernel32,GetDiskFreeSpaceExW), ref: 0048531D
              • GetProcAddress.KERNEL32(00000000), ref: 00485324
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: GetDiskFreeSpaceExW$Kernel32
              • API String ID: 1646373207-300760764
              • Opcode ID: b6a2934831663018b7a2f2050c6c2d60021b5213b11da60a00c2abc37b5ec7e7
              • Instruction ID: 8c09a6c52dce3decdc726bbc77e640e01cd35b4c8bf0937d2c7a6d56182cb9b4
              • Opcode Fuzzy Hash: b6a2934831663018b7a2f2050c6c2d60021b5213b11da60a00c2abc37b5ec7e7
              • Instruction Fuzzy Hash: 45D01736140209BBDF026FE1FD04EAA3BB9AB44A507084425FA1980020C67AC520AB18
              Function 004863A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId,?,004881D7,?), ref: 004863AD
              • GetProcAddress.KERNEL32(00000000), ref: 004863B4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: GetProcessId$kernel32.dll
              • API String ID: 1646373207-399901964
              • Opcode ID: 92dc4db9963b231c70707e7bb4b5fac1874f58191589f17f5fbc3c34186d5933
              • Instruction ID: dc8ebbdaa78e90e4ad8d5ddfea86babce2202db8d9bb190f21dfafabf0e336e6
              • Opcode Fuzzy Hash: 92dc4db9963b231c70707e7bb4b5fac1874f58191589f17f5fbc3c34186d5933
              • Instruction Fuzzy Hash: 5AD012312447086BBB012BF5AC49E2A3BACAB40A943191532FC1CD0460DA7ED4609668
              Function 0042FD9B Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 182stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00444CFA: __EH_prolog3_GS.LIBCMT ref: 00444D04
              • lstrcmpiW.KERNEL32(-00000004,?,?,?,?,?,?,?,?,?,?,?,?,-00000004,PackageCode,?), ref: 0042FE02
                • Part of subcall function 00411BD3: __EH_prolog3_GS.LIBCMT ref: 00411BDA
                • Part of subcall function 00411BD3: GetLastError.KERNEL32(00000038,004212CA), ref: 00411BE1
                • Part of subcall function 00411BD3: SetLastError.KERNEL32(00000000), ref: 00411C37
                • Part of subcall function 0042C865: __EH_prolog3.LIBCMT ref: 0042C86C
                • Part of subcall function 00411456: __EH_prolog3.LIBCMT ref: 0041145D
                • Part of subcall function 0048376D: __EH_prolog3_GS.LIBCMT ref: 00483777
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$ErrorH_prolog3Last$lstrcmpi
              • String ID: F$InstallSource$PackageName
              • API String ID: 4151595970-1171492974
              • Opcode ID: 6d5a1a7e2567c41b228c3a7b9eb9a1cd2333a8fd2fe43defa0ebc6b2e5cbf67d
              • Instruction ID: d5ef4fab011ca8bb78264b162d0e717b0683cb0f4f167024fbef6fb26ec53a26
              • Opcode Fuzzy Hash: 6d5a1a7e2567c41b228c3a7b9eb9a1cd2333a8fd2fe43defa0ebc6b2e5cbf67d
              • Instruction Fuzzy Hash: 2A819271A02258DEEB11DB64CD54BDEB7B4AF16304F0440EEE04967292DB785F89CF1A
              Function 0042167A Relevance: 6.2, APIs: 4, Instructions: 152fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch_GS.LIBCMT ref: 00421681
                • Part of subcall function 00402C40: GetLastError.KERNEL32 ref: 00402C5F
                • Part of subcall function 00402C40: SetLastError.KERNEL32(?), ref: 00402C8F
              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,004CBE7C,0000005C,00421590,?,?,00000000,00000000,00000000,00000000), ref: 004216DB
              • GetFileSize.KERNEL32(00000000,00000000), ref: 0042170E
              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0042173E
                • Part of subcall function 00404BF0: CloseHandle.KERNELBASE(?,00000000,0048975B,?,0000006C,0048BECB,004881FF,?,?), ref: 00404C03
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$ErrorLast$CloseCreateH_prolog3_catch_HandleReadSize
              • String ID:
              • API String ID: 1210672489-0
              • Opcode ID: ab40bc26df8eeb018917fcdd6b1e7062a23af411bc6b8fce1474a6efc90b0237
              • Instruction ID: 8ebbdd78248e2d907524eb43523167f2eca8e0510038e48ed68596bd5d72abda
              • Opcode Fuzzy Hash: ab40bc26df8eeb018917fcdd6b1e7062a23af411bc6b8fce1474a6efc90b0237
              • Instruction Fuzzy Hash: BD51E730905288EEDB01DBE8D954BDEBFB4AF61304F1440AEE441AB292D7785F08D769
              Function 00442371 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00442382
                • Part of subcall function 00442329: __EH_prolog3.LIBCMT ref: 00442330
                • Part of subcall function 00410F71: __EH_prolog3.LIBCMT ref: 00410F78
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
              • GetModuleFileNameW.KERNEL32(00000000,?,00000400,004CBE7C,?,00000001), ref: 004424E3
              • _memset.LIBCMT ref: 00442584
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3$FileH_prolog3_ModuleName_malloc_memset
              • String ID:
              • API String ID: 2648561046-0
              • Opcode ID: 4c8b8cedb67772ca97dcacca00d0bc698de8b8049ecc1afa500f7a65dd5adba0
              • Instruction ID: 6584caedc31830795b19e0d0fe4da0072dffab699bb29dde9ca83f417035c84e
              • Opcode Fuzzy Hash: 4c8b8cedb67772ca97dcacca00d0bc698de8b8049ecc1afa500f7a65dd5adba0
              • Instruction Fuzzy Hash: B461C070805788DED720DF79C954BDABBF4BF04304F9084AEE09A93282CBB86645CF59
              Function 00442378 Relevance: 6.1, APIs: 4, Instructions: 144COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00442382
                • Part of subcall function 00442329: __EH_prolog3.LIBCMT ref: 00442330
                • Part of subcall function 00410F71: __EH_prolog3.LIBCMT ref: 00410F78
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
              • GetModuleFileNameW.KERNEL32(00000000,?,00000400,004CBE7C,?,00000001), ref: 004424E3
              • _memset.LIBCMT ref: 00442584
              • _memset.LIBCMT ref: 0044259C
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_memset$FileH_prolog3_ModuleName_malloc
              • String ID:
              • API String ID: 1040074069-0
              • Opcode ID: 9e4f2e28f69d9faedcad202f4412d5dc04d6ce17b53f4138dc393fdaa111574b
              • Instruction ID: b7749ac5a3d7995365052fde2e2100e2efbd61bf330459430f77651c809c8bcf
              • Opcode Fuzzy Hash: 9e4f2e28f69d9faedcad202f4412d5dc04d6ce17b53f4138dc393fdaa111574b
              • Instruction Fuzzy Hash: 1C61AF70904748DAD720DF79C954BDABBE4BF14304F9084AEE09A93281DBB86A45CB59
              Function 0045A0C3 Relevance: 6.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AdjustPointer_memmove
              • String ID:
              • API String ID: 1721217611-0
              • Opcode ID: 56340a28cc6fe84d88ffde00ef437d1a4c135b541e07e77529b90f6ef38ad19b
              • Instruction ID: a72bc341967f2ac11aa12492d3e34c9f932df7a53cce2551ad8050e5cdd5234d
              • Opcode Fuzzy Hash: 56340a28cc6fe84d88ffde00ef437d1a4c135b541e07e77529b90f6ef38ad19b
              • Instruction Fuzzy Hash: 0C41C5316047025EEB245E15E842B6B33E49F05729F24065FFD00963D3EF2ED8A9DA1B
              Function 00415313 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0041531A
              • _strlen.LIBCMT ref: 00415347
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA,00000000), ref: 00415360
              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041538E
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ByteCharMultiWide$H_prolog3__strlen
              • String ID:
              • API String ID: 708778256-0
              • Opcode ID: 4067d0784c673fcef8a57d7751ab7a1329fa6ab4ebea6781e65964f17b1e7e96
              • Instruction ID: bd0f21d55f739861d2cc452be2fba1c0f39cc68b26ba7346544467fabdb1fa74
              • Opcode Fuzzy Hash: 4067d0784c673fcef8a57d7751ab7a1329fa6ab4ebea6781e65964f17b1e7e96
              • Instruction Fuzzy Hash: 2F41D371900208ABDB10EBA8DC91BEEB778AF85364F14012EF911E72D2DB785D458B68
              Function 00419D16 Relevance: 6.1, APIs: 4, Instructions: 121COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String$Free$H_prolog3_
              • String ID:
              • API String ID: 332078091-0
              • Opcode ID: 28eaab34659fa53f45a9a2b46dc9b771505f2c566ced511412fb1b6d1aabdb90
              • Instruction ID: 28c09eed0499a723229a58cda15c4cd8295a2f6008819c78b419048001715f21
              • Opcode Fuzzy Hash: 28eaab34659fa53f45a9a2b46dc9b771505f2c566ced511412fb1b6d1aabdb90
              • Instruction Fuzzy Hash: 6B518A709042189FDB24DF64C891BDEBBB0BF05324F24819EE469A72D2CB785E85DF18
              Function 00404A10 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(17703A82,?,74DEDFA0,74DEE010), ref: 00404AD3
              • SysFreeString.OLEAUT32(?), ref: 00404AEF
              • SysFreeString.OLEAUT32(?), ref: 00404AFA
              • SetLastError.KERNEL32(?), ref: 00404B1A
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeLastString
              • String ID:
              • API String ID: 3822639702-0
              • Opcode ID: 92c848f7209de42517a61858997c8cc29601da960cc150e6d05d88ce7e665ba2
              • Instruction ID: 751bb2bb1f90fe3fe8e9d78bdfa978586f1f9418d894be1cb5f661473122ee28
              • Opcode Fuzzy Hash: 92c848f7209de42517a61858997c8cc29601da960cc150e6d05d88ce7e665ba2
              • Instruction Fuzzy Hash: 71417971644209ABCF10DF64C944B9A77E8FF45728F11863EF915AB2D1DB38EA04CB98
              Function 0043E64C Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0043E653
                • Part of subcall function 0043E013: __EH_prolog3_GS.LIBCMT ref: 0043E01A
                • Part of subcall function 0043E013: IsWindow.USER32(?), ref: 0043E060
                • Part of subcall function 0043E013: SendMessageW.USER32(?,00001061,?,00000008), ref: 0043E075
              • SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 0043E729
              • SendMessageW.USER32(?,00001036,00000000,00000020), ref: 0043E742
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0043E750
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: MessageSend$H_prolog3_$Window
              • String ID:
              • API String ID: 1329796335-0
              • Opcode ID: 3a12dd793429f32a47ddcfd95c4f356b6d93e801a7a11c436f179510a4e98feb
              • Instruction ID: 5cc3f49d2c9bc89750f08663c478f2a3cff7f14825c19ddce4ea3b9c99692111
              • Opcode Fuzzy Hash: 3a12dd793429f32a47ddcfd95c4f356b6d93e801a7a11c436f179510a4e98feb
              • Instruction Fuzzy Hash: 0431ED31A01214ABCB25EF62C995BEFBBB4AF09754F04101EF5517B2C2C7789D05CB58
              Function 004770F7 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0047712B
              • __isleadbyte_l.LIBCMT ref: 00477159
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00455D02,00000001,00000000,00000000,?,00000000,00000000,?,F8@,00455D02,00000000), ref: 00477187
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00455D02,00000001,00000000,00000000,?,00000000,00000000,?,F8@,00455D02,00000000), ref: 004771BD
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: 29ef44e6f82ffb351ef2e02f8f5dd08254939d2863017cbc887c2b1cffa39e15
              • Instruction ID: d2d7ef0d017772f54033eae35e4befdb8015c067887a8d0aab1aeacbb42d6c42
              • Opcode Fuzzy Hash: 29ef44e6f82ffb351ef2e02f8f5dd08254939d2863017cbc887c2b1cffa39e15
              • Instruction Fuzzy Hash: D731D231608246AFDB218F75CC45BEB7BA5FF41320F95856AE8188B391D738D841DB58
              Function 004968CD Relevance: 6.1, APIs: 4, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • IsBadReadPtr.KERNEL32(?,00000004), ref: 004968E3
              • GetLastError.KERNEL32(?,?,?,?,?,?,00496876,?,?,?), ref: 004968E9
              • IsBadReadPtr.KERNEL32(?,00000000), ref: 00496909
              • _memmove.LIBCMT ref: 0049693A
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Read$ErrorLast_memmove
              • String ID:
              • API String ID: 1328700803-0
              • Opcode ID: 5c438a99fea69236daad5918410bbddbd5f010634a2ba905c286ccb2540a8ba5
              • Instruction ID: 9f3776aa0d0ed514f7e50dde73c966e631a0e33712bd72a985f1d3134bc2e611
              • Opcode Fuzzy Hash: 5c438a99fea69236daad5918410bbddbd5f010634a2ba905c286ccb2540a8ba5
              • Instruction Fuzzy Hash: 8631CFB1A00216BBCF11AF75DC85A9ABFA8FF04754B00443AF804D7241D779E855DBA8
              Function 0048830F Relevance: 6.1, APIs: 4, Instructions: 89COMMON
              Download Yara Rule
              APIs
              • FindResourceExW.KERNEL32(?,00000006,?,?,?,00000001,?,?,00420D4D,?,?,?,?,?,00000001), ref: 0048832E
              • FindResourceExW.KERNEL32(?,00000006,00000001,?,?,00000001,?,?,00420D4D,?,?,?,?,?,00000001), ref: 00488366
              • FindResourceExW.KERNEL32(?,00000006,00000001,00000400,?,00000001,?,?,00420D4D,?,?,?,?,?,00000001), ref: 00488393
              • FindResourceExW.KERNEL32(?,00000006,00000001,00000000,?,00000001,?,?,00420D4D,?,?,?,?,?,00000001), ref: 004883BD
                • Part of subcall function 0048829B: __EH_prolog3_GS.LIBCMT ref: 004882A2
                • Part of subcall function 0048829B: LoadResource.KERNEL32(?,?,00000038,004883D8,?,?,?,?,?,00000001,?,?,00420D4D,?,?,?), ref: 004882B9
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Resource$Find$H_prolog3_Load
              • String ID:
              • API String ID: 4133745404-0
              • Opcode ID: 4d0a8260fd465d1ed4325e1305c8bd501e07ce0f8333557ea58d78d103725d2f
              • Instruction ID: 7ef53169e615a60a04357a4e5c6cfcca0425d8ac999828ba77571b255a07d017
              • Opcode Fuzzy Hash: 4d0a8260fd465d1ed4325e1305c8bd501e07ce0f8333557ea58d78d103725d2f
              • Instruction Fuzzy Hash: 27218175400219BBEF216F15DC01EEF3BACEF05750F44845AFE15EA250EA3ADA11DB68
              Function 0041963F Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON
              Download Yara Rule
              APIs
              • SysStringLen.OLEAUT32(00000001), ref: 00419674
              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 004196CC
              • SysStringLen.OLEAUT32(00000001), ref: 004196E1
              • SysFreeString.OLEAUT32(00000001), ref: 0041971E
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String$AllocFree
              • String ID:
              • API String ID: 344208780-0
              • Opcode ID: e15a3ccfc64a3e400510ad438109939e2699370f0bc201d0a09c3e275ccfc785
              • Instruction ID: 070501919c9ba752ecc16e33e5b7f9c28cd1a7db62fece384d01478790aec407
              • Opcode Fuzzy Hash: e15a3ccfc64a3e400510ad438109939e2699370f0bc201d0a09c3e275ccfc785
              • Instruction Fuzzy Hash: F221C171900209FBDB109F95CC85ADA7BFCEF18384F10842BFD14D6251E73ADA949B69
              Function 00497831 Relevance: 6.1, APIs: 4, Instructions: 88fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0049784F
              • GetFileSize.KERNEL32(00000000,00000000), ref: 00497865
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00497883
              • CloseHandle.KERNEL32(00000000), ref: 0049788F
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: File$CloseCreateHandleReadSize
              • String ID:
              • API String ID: 3919263394-0
              • Opcode ID: 0b5b6b64f9ad417bfe4f9335df32ba8cd73bdbfc9917ed1f14a797c097d6bb42
              • Instruction ID: 02a25cede0dfad0da44a3ad5cd52bb46682b78f44e032eef7c82388986547cd9
              • Opcode Fuzzy Hash: 0b5b6b64f9ad417bfe4f9335df32ba8cd73bdbfc9917ed1f14a797c097d6bb42
              • Instruction Fuzzy Hash: 352190712142047BEF11AB769C99FBF7A9DEF45394F14043EF942972C1DB689D008BA8
              Function 00448742 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044874C
              • __CxxThrowException@8.LIBCMT ref: 004487A2
              • SetFilePointer.KERNEL32(?,?,00000000,?,00000088,0044853C,00000000,00000000,00000000,00000000,00000000,0000000C,00448616), ref: 004487AE
              • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004487F2
                • Part of subcall function 0044292C: __EH_prolog3.LIBCMT ref: 00442933
                • Part of subcall function 0044287A: __EH_prolog3.LIBCMT ref: 00442881
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3$ErrorException@8FileH_prolog3_LastPointerThrow
              • String ID:
              • API String ID: 4022812620-0
              • Opcode ID: 38f122005a64cb7ee7d3dd3b5339fed1207c8004d9de93c699ebc349b23853f0
              • Instruction ID: a26b661bd80dbad95e6f670835aae93701a41eb951e5db2b42b9458dddfc8a81
              • Opcode Fuzzy Hash: 38f122005a64cb7ee7d3dd3b5339fed1207c8004d9de93c699ebc349b23853f0
              • Instruction Fuzzy Hash: 46219C75500118ABEB10EBA1CC91FEEB378BF04314F50426EFA15A7191DFB8AE44CB98
              Function 004029A1 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(004CBE7C,004CBE7A,?,?,?,17703A82,?,?,004B3CC8,000000FF), ref: 00402A2B
              • SysFreeString.OLEAUT32(?), ref: 00402A47
              • SysFreeString.OLEAUT32(?), ref: 00402A52
              • SetLastError.KERNEL32(?), ref: 00402A72
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeLastString
              • String ID:
              • API String ID: 3822639702-0
              • Opcode ID: a10a27da558dd6ae83e8408eae9a512b59935356cf66c4cc9852fb4b7150d5a7
              • Instruction ID: ba55e577ed2275b1c71d6fc2a5a65606c583db52ce5b842f84d98c10769a05ca
              • Opcode Fuzzy Hash: a10a27da558dd6ae83e8408eae9a512b59935356cf66c4cc9852fb4b7150d5a7
              • Instruction Fuzzy Hash: E0210431A04248AFCB049F28DC44B9A77E4FB49319F01863AFC19E7691DB79E9548B98
              Function 004029B0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(004CBE7C,004CBE7A,?,?,?,17703A82,?,?,004B3CC8,000000FF), ref: 00402A2B
              • SysFreeString.OLEAUT32(?), ref: 00402A47
              • SysFreeString.OLEAUT32(?), ref: 00402A52
              • SetLastError.KERNEL32(?), ref: 00402A72
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeLastString
              • String ID:
              • API String ID: 3822639702-0
              • Opcode ID: fabeb88c23574acfb03bd573a843266a1b1c61a3ff59bf65a682903326590626
              • Instruction ID: 7f4a3b65e6b292c49d1776781feb6d63ab7c584fe42791acdd4eb2c7c91aaf98
              • Opcode Fuzzy Hash: fabeb88c23574acfb03bd573a843266a1b1c61a3ff59bf65a682903326590626
              • Instruction Fuzzy Hash: D1211931604248AFCB049F28DD04B9A77E4FF08719F01862AFC15E7290D779E954CF88
              Function 0041C659 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(?,?,00000000,00000000,?,?,004199E0,?,00000400,00000000,00000000,00000001,0000044F,00000000,000008A8,00428637), ref: 0041C679
              • SetErrorMode.KERNEL32(00008003,?,?,004199E0,?,00000400,00000000,00000000,00000001,0000044F,00000000,000008A8,00428637,00000452,?,00000218), ref: 0041C688
              • GetWindowsDirectoryW.KERNEL32(?,?,?,?,004199E0,?,00000400,00000000,00000000,00000001,0000044F,00000000,000008A8,00428637,00000452,?), ref: 0041C69F
              • lstrcpyW.KERNEL32(?,004CBE7C,?,?,004199E0,?,00000400,00000000,00000000,00000001,0000044F,00000000,000008A8,00428637,00000452,?), ref: 0041C6BC
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: DirectoryErrorModePathTempWindowslstrcpy
              • String ID:
              • API String ID: 3576100887-0
              • Opcode ID: cc0beed6a488ce7c0021d39ef8bd3414c29a49b311df401fe6bd17092903dfa3
              • Instruction ID: c690171eeb124a619f20b77dc14b4106f1d00b3e140e80a971778d332a0cf112
              • Opcode Fuzzy Hash: cc0beed6a488ce7c0021d39ef8bd3414c29a49b311df401fe6bd17092903dfa3
              • Instruction Fuzzy Hash: 01019E3278021577D7206AB36C4AFDF2B9D9F96798B00203FFD05C1242EA7CD95486AD
              Function 0044884C Relevance: 6.1, APIs: 4, Instructions: 60COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00448856
              • __CxxThrowException@8.LIBCMT ref: 004488AE
              • GetFileSize.KERNEL32(?,?,00000088,00448455,00000000,0000000C,00448616,?,?,?,?,?,?,00000000), ref: 004488B7
              • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004488C4
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorException@8FileH_prolog3_LastSizeThrow
              • String ID:
              • API String ID: 4197087271-0
              • Opcode ID: 099c23665a573eec766457a06674500b895694a439d9462434b574e415d5fc39
              • Instruction ID: 8bd50dc12d8a73a0a5f8ee990e4d4ee69579a29e0ac75724a8e79b05c8f83b1b
              • Opcode Fuzzy Hash: 099c23665a573eec766457a06674500b895694a439d9462434b574e415d5fc39
              • Instruction Fuzzy Hash: 85116D75900218AFE710EBA1CD91FEDB3A8BF05318F40426AF515A71D2DBB89D44CB58
              Function 004215D7 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memset$H_prolog3_catch_wcscpy
              • String ID:
              • API String ID: 2263572865-0
              • Opcode ID: 4e735279b60ea1258c36ab821f80587fcd8aef33d1b18fa8afab74bfc748b89a
              • Instruction ID: dca34a1704ca41208dfa5f80a6db16d5a481da27c0c88d74c8e4fcaf66b0182e
              • Opcode Fuzzy Hash: 4e735279b60ea1258c36ab821f80587fcd8aef33d1b18fa8afab74bfc748b89a
              • Instruction Fuzzy Hash: 0E11C2B1D00218AADF10EFA5CD02AEE7A78EF05345F10412BF901BA192D7789A049BA8
              Function 00451652 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • CharNextW.USER32(?,?,?,00000000,?,004516E8,?,?,00450795,?,?,00450247,?,?,00447A1B,004F2640), ref: 0045166C
              • CharNextW.USER32(?,?,?,00000000,?,004516E8,?,?,00450795,?,?,00450247,?,?,00447A1B,004F2640), ref: 00451690
              • CharNextW.USER32(00000000,?,?,00000000,?,004516E8,?,?,00450795,?,?,00450247,?,?,00447A1B,004F2640), ref: 00451699
              • CharNextW.USER32(00000000,?,?,00000000,?,004516E8,?,?,00450795,?,?,00450247,?,?,00447A1B,004F2640), ref: 0045169E
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CharNext
              • String ID:
              • API String ID: 3213498283-0
              • Opcode ID: fd756226a63e46a7fdb4349db01ca8465bfceee620aeea45b1bab14d997860af
              • Instruction ID: 49e549a1f52cc366865e3d34466a48312e972de0034134b0e1c16890839f06dc
              • Opcode Fuzzy Hash: fd756226a63e46a7fdb4349db01ca8465bfceee620aeea45b1bab14d997860af
              • Instruction Fuzzy Hash: 24F0C816941154ABDB213BA19C40B3BB2ACEF52756B2A4827E900C7171E2AC9DC58BAD
              Function 004613B4 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: 350d868142ef19fa924fd5b5298d74f04e4ba87173666418f519d6063f9be6d9
              • Instruction ID: 8ad473ec8de77dee4b54c083860efa94b5ff43b3b7b414e50fa33715011509cc
              • Opcode Fuzzy Hash: 350d868142ef19fa924fd5b5298d74f04e4ba87173666418f519d6063f9be6d9
              • Instruction Fuzzy Hash: C201953600014EBBCF125F85CC41CEE3F22BB18345B588416FE1859531E73AC9B1EB86
              Function 0045993C Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___BuildCatchObject.LIBCMT ref: 00459953
                • Part of subcall function 0045A035: ___AdjustPointer.LIBCMT ref: 0045A07E
              • _UnwindNestedFrames.LIBCMT ref: 0045996A
              • ___FrameUnwindToState.LIBCMT ref: 0045997C
              • CallCatchBlock.LIBCMT ref: 004599A0
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
              • String ID:
              • API String ID: 2633735394-0
              • Opcode ID: 39c4636efc59f092767a194791f20f4ff3670cdffa6f45d30cca9dc711b5d390
              • Instruction ID: e8d56f658574d274e69877826a100ea725c00b7ea1e686714cd61f77f3833f1d
              • Opcode Fuzzy Hash: 39c4636efc59f092767a194791f20f4ff3670cdffa6f45d30cca9dc711b5d390
              • Instruction Fuzzy Hash: 62011B72000109FBCF129F96CC01EDB3B7AAF48759F15411AFD1866222C339E865DB99
              Function 004481F1 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004481FB
              • InterlockedDecrement.KERNEL32(00000000), ref: 0044820B
              • CloseHandle.KERNEL32(000000FF), ref: 00448233
              • __CxxThrowException@8.LIBCMT ref: 0044826C
                • Part of subcall function 00448283: InterlockedDecrement.KERNEL32(004F4A34), ref: 004482A8
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: DecrementInterlocked$CloseException@8H_prolog3_HandleThrow
              • String ID:
              • API String ID: 104201321-0
              • Opcode ID: 7ffb0ef85ce392f5cc7804e4c166e46395c3856da0bec06feb9ab334ea8f15d2
              • Instruction ID: 245e02ce9e34b9146235667309f9436dab48e796af11c2a3c20060341d6bcb34
              • Opcode Fuzzy Hash: 7ffb0ef85ce392f5cc7804e4c166e46395c3856da0bec06feb9ab334ea8f15d2
              • Instruction Fuzzy Hash: B4018834500B009FEF249B72CC55B5F73B4BF0071AF54855EE556A18E1DBBCA944CB08
              Function 0041277B Relevance: 6.0, APIs: 4, Instructions: 42windowtimeCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000002,00000000,00000000), ref: 004127C0
              • KillTimer.USER32(?,000005DC), ref: 004127D7
              • PostQuitMessage.USER32(00000000), ref: 004127DF
              • SetTimer.USER32(?,000005DC,000003E8,00000000), ref: 00412800
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: MessagePostTimer$KillQuit
              • String ID:
              • API String ID: 143517078-0
              • Opcode ID: d28abfd998de0bb3cb956641a13fa40bb535d04cdb3def4fa83c59efe554671c
              • Instruction ID: 581ff5141c6aafca666bb01f7e92c0c820bf2e351ee2edb4f2b780f890a633b0
              • Opcode Fuzzy Hash: d28abfd998de0bb3cb956641a13fa40bb535d04cdb3def4fa83c59efe554671c
              • Instruction Fuzzy Hash: D7017C31254608AFEB109F60ED49BA63B61B704B05F104136F500DE2E1C7B899A5CF1C
              Function 0043E773 Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(00000000), ref: 0043E792
              • SendMessageW.USER32(00000000,0000100C,000000FF,00000002), ref: 0043E7A4
              • _memset.LIBCMT ref: 0043E7B9
              • SendMessageW.USER32(00000000,0000104B,00000000,?), ref: 0043E7D7
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: MessageSend$Item_memset
              • String ID:
              • API String ID: 105786929-0
              • Opcode ID: 44aa472d38e9fa36bbabc9dab169f4642f80613007e560ad363d313694103bd6
              • Instruction ID: 0c4cd9ce5979a30276269d17b22f84b77347c1252e1ac01d4bc2930bdd947cdc
              • Opcode Fuzzy Hash: 44aa472d38e9fa36bbabc9dab169f4642f80613007e560ad363d313694103bd6
              • Instruction Fuzzy Hash: 80018B71501318BFDB20DF98ED89F9E7BB8AB08354F104222FA15D62D1E3749904C759
              Function 0042A719 Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0042A746
              • IsDialogMessageW.USER32(?), ref: 0042A75A
              • TranslateMessage.USER32(?), ref: 0042A768
              • DispatchMessageW.USER32(?), ref: 0042A772
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Message$DialogDispatchPeekTranslate
              • String ID:
              • API String ID: 1266772231-0
              • Opcode ID: 5040051ae540f5d74207685e02d8e103b197b46b586d02d1f76f7624c5b275f7
              • Instruction ID: de73dc5705ca23129839a911b7458dc672f34d1237c413fe0127789e600bad2d
              • Opcode Fuzzy Hash: 5040051ae540f5d74207685e02d8e103b197b46b586d02d1f76f7624c5b275f7
              • Instruction Fuzzy Hash: 64011D31B002499FDB10DB68FC49FAB77F8AB40748F4584B1A901E71A1D769D465CB1D
              Function 004594A0 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __lock.LIBCMT ref: 004594E4
                • Part of subcall function 00467E1A: __mtinitlocknum.LIBCMT ref: 00467E2C
                • Part of subcall function 00467E1A: __amsg_exit.LIBCMT ref: 00467E38
                • Part of subcall function 00467E1A: EnterCriticalSection.KERNEL32(00000000,?,004594E9,0000000D), ref: 00467E45
              • InterlockedIncrement.KERNEL32(?), ref: 004594F1
              • __lock.LIBCMT ref: 00459505
              • ___addlocaleref.LIBCMT ref: 00459523
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__amsg_exit__mtinitlocknum
              • String ID:
              • API String ID: 153627126-0
              • Opcode ID: 48c19887acf2d3b12f68c205ae74e25858a60dc67c613054978ea6e20c3e8e5a
              • Instruction ID: 7d878a7ab69fb53b9d048f31b4ac43ca07ff559c14c31b37a21e27db5777dd36
              • Opcode Fuzzy Hash: 48c19887acf2d3b12f68c205ae74e25858a60dc67c613054978ea6e20c3e8e5a
              • Instruction Fuzzy Hash: 45016571440704EFD7609F66D44674AF7E0AF54316F20890FE49A976E1EB78A948CB09
              Function 004502D4 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004502F3
              • GetObjectW.GDI32(00000000,0000005C,?), ref: 00450300
                • Part of subcall function 0045087D: GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 004508AF
                • Part of subcall function 0045087D: TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 004508CA
              • CreateFontIndirectW.GDI32(?), ref: 00450316
              • SendMessageW.USER32(?,00000030,00000000,00000000), ref: 00450324
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: InfoMessageSend$CharsetCreateFontIndirectLocaleObjectTranslate
              • String ID:
              • API String ID: 2681337867-0
              • Opcode ID: 547da95cf5e258e96795c9cdbf9780fecffe026a92fc3af8a1d7de84105efe83
              • Instruction ID: 3642c41b3c1549a280865d37cd620fb59a54b6ce2bac74ce5c340aed48855aa9
              • Opcode Fuzzy Hash: 547da95cf5e258e96795c9cdbf9780fecffe026a92fc3af8a1d7de84105efe83
              • Instruction Fuzzy Hash: ACF04471A00308BFDB14AFE5DC4AFAE777DBB08701F100519B6029B1D1CA74E5048B58
              Function 0041E728 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0041E72F
              • GetLastError.KERNEL32(00000004,0041EE36,?,00000000,00000004,0041F425,?,00000001), ref: 0041E753
              • SetLastError.KERNEL32(?), ref: 0041E784
              • SetLastError.KERNEL32(00000000), ref: 0041E7A8
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$H_prolog3
              • String ID:
              • API String ID: 3502553090-0
              • Opcode ID: 059704aff975f8f301f06f66170b4e93ca3cc3c44594569824285276ab2eb808
              • Instruction ID: 435b362f573e68f30a4b0e111fdaefec62483ffb1fddc103e7d50f4569dcf015
              • Opcode Fuzzy Hash: 059704aff975f8f301f06f66170b4e93ca3cc3c44594569824285276ab2eb808
              • Instruction Fuzzy Hash: 98110378904204CFCB04DF68C984789BBE0AF05329F04C19AEC155F2A7C7B9DA44CF64
              Function 0042A78A Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32 ref: 0042A793
              • GetDlgItem.USER32(0000012D), ref: 0042A7B0
              • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 0042A7C8
              • SendMessageW.USER32(00000000,00000402,?,00000000), ref: 0042A7E1
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: MessageSend$ItemWindow
              • String ID:
              • API String ID: 591194657-0
              • Opcode ID: efa578ecf513dc9695919d5ed216e3cce92d510327448c30793b1b7b5905b441
              • Instruction ID: 022326c3a002840b5ca6a05cc1cd46de2c24fb1e1929aa58b5b0ce2b362f6279
              • Opcode Fuzzy Hash: efa578ecf513dc9695919d5ed216e3cce92d510327448c30793b1b7b5905b441
              • Instruction Fuzzy Hash: 3CF0A7713005287FE6102715FDC5D7B77ADDB813997410036FB05F65A1D658DC22897E
              Function 004B4CD0 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32 ref: 004B4CE3
              • SysFreeString.OLEAUT32 ref: 004B4CFF
              • SysFreeString.OLEAUT32(00000000), ref: 004B4D32
              • SetLastError.KERNEL32(00000000), ref: 004B4D62
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeLastString
              • String ID:
              • API String ID: 3822639702-0
              • Opcode ID: ebfcaa454c65339febe15487282de4831df4bba9ff64bc7ea679054b78a84ee8
              • Instruction ID: 3e94f36646bf0a2584fe6b4bb201e7b760ec16593aab7b647eb30ac94c3339d2
              • Opcode Fuzzy Hash: ebfcaa454c65339febe15487282de4831df4bba9ff64bc7ea679054b78a84ee8
              • Instruction Fuzzy Hash: E2017C314042809FC700EF29EC88A5A37E4FF29309B464479F905AB2B2D73A695CCF9D
              Function 00450202 Relevance: 6.0, APIs: 4, Instructions: 36stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F,00000000,000008A8,00428637), ref: 0045020A
              • lstrcpynW.KERNEL32(?,?,-00000001,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F,00000000,000008A8), ref: 0045022E
              • lstrcpyW.KERNEL32(?,?,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F,00000000,000008A8,00428637), ref: 0045023B
              • lstrcatW.KERNEL32(?,?,?,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F,00000000,000008A8), ref: 0045024B
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: lstrcatlstrcpylstrcpynlstrlen
              • String ID:
              • API String ID: 3428934214-0
              • Opcode ID: ea9edf0de9c71849804497ca98ab3deb9bf54029a9c9c011c404c3e0d6ded2cb
              • Instruction ID: 8f46b275d896e7c45e09acfe57c5a498f90d2a749d70bf3bdd4b0c1be90694d6
              • Opcode Fuzzy Hash: ea9edf0de9c71849804497ca98ab3deb9bf54029a9c9c011c404c3e0d6ded2cb
              • Instruction Fuzzy Hash: 82F0903A001524AB8B216B90DC0C8EF37ACEF0A311B01C456FD01D3101D7286E4587DA
              Function 0049302D Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0049305D
              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,?,000004FF), ref: 00493076
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: MessageMultipleObjectsPeekWait
              • String ID:
              • API String ID: 3986374578-0
              • Opcode ID: a28d8cd5ddd7bb9b9852d16e45718e5c2603d285f98334d5118f461dc4e0da84
              • Instruction ID: a9d84fe1c1da8f04d5dab5fe48bfa392a310f80f3fd50af444300d48461d1731
              • Opcode Fuzzy Hash: a28d8cd5ddd7bb9b9852d16e45718e5c2603d285f98334d5118f461dc4e0da84
              • Instruction Fuzzy Hash: C8F030B250020DBFDF109FE9DC88DAB7BACAB05705F408431F605D6154E278DA458B28
              Function 0041DD61 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
              Download Yara Rule
              APIs
              • GlobalAlloc.KERNEL32(00000040,?,?,?,0041D94C,00000000,00000000,?,00000000,00000000,?,?,00000001,?,00420DFB,?), ref: 0041DD73
              • GlobalLock.KERNEL32(00000000), ref: 0041DD81
              • _memmove.LIBCMT ref: 0041DD90
              • GlobalUnlock.KERNEL32 ref: 0041DDA8
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Global$AllocLockUnlock_memmove
              • String ID:
              • API String ID: 660073773-0
              • Opcode ID: 109fc85c64df444bec1e5aaad9dda8769909d96c80c151eeceeadefeb3786730
              • Instruction ID: 0d89da9667238cac23b508c95b0c0107e40aef96fe4c69b124679469305c4a64
              • Opcode Fuzzy Hash: 109fc85c64df444bec1e5aaad9dda8769909d96c80c151eeceeadefeb3786730
              • Instruction Fuzzy Hash: 20F082B2940603ABEB017FB9DC05A9ABBECEF153517018136F919C2251D779D861C7A8
              Function 004961B6 Relevance: 6.0, APIs: 4, Instructions: 35stringCOMMON
              Download Yara Rule
              APIs
              • _wcsstr.LIBCMT ref: 004961C0
              • lstrlenW.KERNEL32(?,00000000,?,00496159,00000000,2.5.4.3,?), ref: 004961D0
              • _wcsstr.LIBCMT ref: 004961E2
              • lstrlenW.KERNEL32(-00000002,?,00496159,00000000,2.5.4.3,?), ref: 004961F4
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _wcsstrlstrlen
              • String ID:
              • API String ID: 4267858634-0
              • Opcode ID: f8889d59413847771462de00a8ba03517b6fe8ba51e3b61e1ad4ebc3d2149948
              • Instruction ID: 6aa7490e4999a097ea68969c5d2e507fc6de3a1a8f78b85036a3e13e506b9eaf
              • Opcode Fuzzy Hash: f8889d59413847771462de00a8ba03517b6fe8ba51e3b61e1ad4ebc3d2149948
              • Instruction Fuzzy Hash: 2AF0E236149626AB9B116F65EC0189E3B54EF00331312813BFC05A6251DB3E9922DAD8
              Function 0042A7E8 Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32 ref: 0042A7F1
              • GetDlgItem.USER32(0000012D), ref: 0042A80A
              • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 0042A81A
              • SendMessageW.USER32(00000000,00000402,?,00000000), ref: 0042A837
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: MessageSend$ItemWindow
              • String ID:
              • API String ID: 591194657-0
              • Opcode ID: 350f66ac67aa52ef4c83447b40a7056e44d45f144132192a221f50c229224e69
              • Instruction ID: 570517226b46eb02ddae10957fa04967b4bd7101080267484df83c701d589210
              • Opcode Fuzzy Hash: 350f66ac67aa52ef4c83447b40a7056e44d45f144132192a221f50c229224e69
              • Instruction Fuzzy Hash: 82F0E931300120BBDB205B55FD09EAA3FADDB44791B010031FA08B21A0C7658822CAAD
              Function 00436614 Relevance: 6.0, APIs: 4, Instructions: 34windowsynchronizationCOMMON
              Download Yara Rule
              APIs
              • TranslateMessage.USER32(?), ref: 00436629
              • DispatchMessageW.USER32(?), ref: 00436633
              • WaitForSingleObject.KERNEL32(?,00000000), ref: 0043663D
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00436650
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Message$DispatchObjectPeekSingleTranslateWait
              • String ID:
              • API String ID: 3621893840-0
              • Opcode ID: 9266fc92814ef52d7d632c7929adfcaa2a0df36947514364a1da46671273c4ae
              • Instruction ID: 81d6e2966d20ccf9cdbf075352b61aaec6c559ed8977484110901d39cee48cbd
              • Opcode Fuzzy Hash: 9266fc92814ef52d7d632c7929adfcaa2a0df36947514364a1da46671273c4ae
              • Instruction Fuzzy Hash: A7F0827190014ABBCF206FB59C0ED9B3FBCAB85740F118136F512D1011E63CC006CE28
              Function 0045178A Relevance: 6.0, APIs: 4, Instructions: 32COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00451791
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 0048376D: __EH_prolog3_GS.LIBCMT ref: 00483777
              • SetErrorMode.KERNEL32(00008001), ref: 004517CA
              • RemoveDirectoryW.KERNEL32(0000000A), ref: 004517D3
              • SetErrorMode.KERNEL32(00000000), ref: 004517E0
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorH_prolog3Mode$DirectoryH_prolog3_Remove
              • String ID:
              • API String ID: 359717666-0
              • Opcode ID: 8d46045e9f93628d267a6719a3cf4ec9001a8cdf50fd6cdeafa22cba6f51eccc
              • Instruction ID: 241bf596889c6921633d71cbc6a456e750a333e17d283ce338fc36353f5e7786
              • Opcode Fuzzy Hash: 8d46045e9f93628d267a6719a3cf4ec9001a8cdf50fd6cdeafa22cba6f51eccc
              • Instruction Fuzzy Hash: 76F0E9B2A00204AFEB007FF5CD4677E7BA5AF44309F01812EFD155A1E2CB394A158B5A
              Function 00422111 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
              Download Yara Rule
              APIs
              • FindResourceW.KERNEL32(?,?,?), ref: 00422122
              • SizeofResource.KERNEL32(?,00000000), ref: 0042212E
              • LoadResource.KERNEL32(?,00000000), ref: 0042213A
              • LockResource.KERNEL32(00000000), ref: 00422141
                • Part of subcall function 00421F9C: __EH_prolog3_GS.LIBCMT ref: 00421FA6
                • Part of subcall function 00421F9C: _memmove.LIBCMT ref: 0042207A
                • Part of subcall function 00421F9C: _memmove.LIBCMT ref: 0042209A
                • Part of subcall function 00421F9C: GetWindowDC.USER32(00000000), ref: 004220A4
                • Part of subcall function 00421F9C: CreateDIBitmap.GDI32(00000000,00000000,00000004,?,00000000,00000000), ref: 004220BC
                • Part of subcall function 00421F9C: ReleaseDC.USER32(00000000,00000000), ref: 004220E7
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Resource$_memmove$BitmapCreateFindH_prolog3_LoadLockReleaseSizeofWindow
              • String ID:
              • API String ID: 494462844-0
              • Opcode ID: 546b4f01aed96642dd524b0b210e93cc8529124e64401113b354ed3f5b521dad
              • Instruction ID: 17a06c0b37bb152fa7e778da79682451cece34773fbf6cc01572ff3bfbb0e97f
              • Opcode Fuzzy Hash: 546b4f01aed96642dd524b0b210e93cc8529124e64401113b354ed3f5b521dad
              • Instruction Fuzzy Hash: E7E06D3A100218BFCF102FA2EC0CCAB3F6DEB892A0701413AFD0986221C7368851DBA4
              Function 00401A60 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,00404B6A,00000000,?,00000001,000000FF,17703A82,?,74DEDFA0,74DEE010), ref: 00401A6F
              • SysFreeString.OLEAUT32(?), ref: 00401A8B
              • SysFreeString.OLEAUT32(?), ref: 00401A96
              • SetLastError.KERNEL32(?), ref: 00401AB4
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeLastString
              • String ID:
              • API String ID: 3822639702-0
              • Opcode ID: cff66515807270a6c42dd59da6dbde4507fe6bc75becf7988efc84f4354a29a9
              • Instruction ID: bd6773e8b2383c41371e4ed817fbb714c27f1331ae620e6c2ba97ff9173eaaad
              • Opcode Fuzzy Hash: cff66515807270a6c42dd59da6dbde4507fe6bc75becf7988efc84f4354a29a9
              • Instruction Fuzzy Hash: 33F0F935500612EFC7009F19E948A40BBF1FF493197158266E81897A21C775F8A4CFC4
              Function 00401AC0 Relevance: 6.0, APIs: 4, Instructions: 30COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
              • SysFreeString.OLEAUT32(?), ref: 00401AEB
              • SysFreeString.OLEAUT32(?), ref: 00401AF6
              • SetLastError.KERNEL32(?), ref: 00401B14
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeLastString
              • String ID:
              • API String ID: 3822639702-0
              • Opcode ID: cff66515807270a6c42dd59da6dbde4507fe6bc75becf7988efc84f4354a29a9
              • Instruction ID: c072115f7aae3e5007a960c25ded8c9c3ff758c039278c9b34fceea5a298f4ee
              • Opcode Fuzzy Hash: cff66515807270a6c42dd59da6dbde4507fe6bc75becf7988efc84f4354a29a9
              • Instruction Fuzzy Hash: 1FF0F935500612EFC7009F19E948A40BBF1FF48319715826AE81897A21CB75F8A4DFC4
              Function 00401B20 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeLastString
              • String ID:
              • API String ID: 3822639702-0
              • Opcode ID: cff66515807270a6c42dd59da6dbde4507fe6bc75becf7988efc84f4354a29a9
              • Instruction ID: 9ebd430fbf6e127b6b062412181c0c9515cee16acc4b60a01e570bcb4f09eeb3
              • Opcode Fuzzy Hash: cff66515807270a6c42dd59da6dbde4507fe6bc75becf7988efc84f4354a29a9
              • Instruction Fuzzy Hash: 94F0F435400A12EFC7009F19E948A40BBF1FF48329B16826AE81897A21CB75F8A4CFD4
              Function 00401B80 Relevance: 6.0, APIs: 4, Instructions: 30COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
              • SysFreeString.OLEAUT32(00000000), ref: 00401BAB
              • SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
              • SetLastError.KERNEL32(?), ref: 00401BD4
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeLastString
              • String ID:
              • API String ID: 3822639702-0
              • Opcode ID: cff66515807270a6c42dd59da6dbde4507fe6bc75becf7988efc84f4354a29a9
              • Instruction ID: 787b4b8e4d91b472731cf21ffac500a757c50aa13702ab3579e144961dc1b93b
              • Opcode Fuzzy Hash: cff66515807270a6c42dd59da6dbde4507fe6bc75becf7988efc84f4354a29a9
              • Instruction Fuzzy Hash: 7CF0F435400A12EFC7009F19E948A40BBF1FF48329B16826AE81897A21CB75F9A4CFC4
              Function 00450596 Relevance: 6.0, APIs: 4, Instructions: 27fileCOMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00008001,00000000,?,00451838,0000000A), ref: 0045059F
              • CreateFileW.KERNEL32(00451838,80000000,00000000,00000000,00000003,00000080,00000000,?,00451838,0000000A), ref: 004505B9
              • SetErrorMode.KERNEL32(00000000,?,00451838,0000000A), ref: 004505C5
              • CloseHandle.KERNEL32(00000000,?,00451838,0000000A), ref: 004505D1
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorMode$CloseCreateFileHandle
              • String ID:
              • API String ID: 1343785229-0
              • Opcode ID: 32ea07368ed0828c61dfd1612eac3e440ae97db3539af8203b3fb01f66be4485
              • Instruction ID: 76ceefc22656bbf84f7feebc54ea8ed99666622951d23d4873f58f9bb890167f
              • Opcode Fuzzy Hash: 32ea07368ed0828c61dfd1612eac3e440ae97db3539af8203b3fb01f66be4485
              • Instruction Fuzzy Hash: 7BE086321401447BE3605772AC0CF1B3EEDEBD6B22F525639FA12E40D1DA395115DA7D
              Function 00427A7A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23stringCOMMON
              Download Yara Rule
              APIs
              • lstrcmpiW.KERNEL32(?,hide_progress), ref: 00427A86
              • lstrcmpiW.KERNEL32(?,hide_splash,?,hide_progress), ref: 00427A99
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: lstrcmpi
              • String ID: hide_progress$hide_splash
              • API String ID: 1586166983-450596345
              • Opcode ID: e7cc84efdde7518b8b74fbfd476ff54413c7e30387d282a53c84385e36beee0c
              • Instruction ID: 3a4b5230afca9621e1304732efd5883ee46902f6843a76c64708eb473796b51c
              • Opcode Fuzzy Hash: e7cc84efdde7518b8b74fbfd476ff54413c7e30387d282a53c84385e36beee0c
              • Instruction Fuzzy Hash: 4FE0D83030CF62D6DB00A7B99CD47DE67645F12318F9002ABA051961D2D7BCAA46826D
              Function 00485508 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 303COMMON
              Download Yara Rule
              APIs
              • FindClose.KERNEL32(00000000), ref: 004857F8
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              • __EH_prolog3_GS.LIBCMT ref: 00485512
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
                • Part of subcall function 0048376D: __EH_prolog3_GS.LIBCMT ref: 00483777
                • Part of subcall function 004202D0: __EH_prolog3_GS.LIBCMT ref: 004202D7
                • Part of subcall function 00484C39: __EH_prolog3_GS.LIBCMT ref: 00484C43
                • Part of subcall function 00484C39: GetModuleHandleW.KERNEL32(kernel32.dll,FindFirstFileW,00000254,0048386D), ref: 00484C5F
                • Part of subcall function 00484C39: GetProcAddress.KERNEL32(00000000), ref: 00484C62
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$H_prolog3_$FreeString$AddressCloseFindH_prolog3HandleModuleProc
              • String ID: *.*
              • API String ID: 2006274578-438819550
              • Opcode ID: 04a4acfa95c88e62a88a7a646584f48f5524616d343fa46c8b4c30bf9b0a2c18
              • Instruction ID: 4613870085b3074d618074a3cfcc3ed61825bfd64568e398fb22a04dd73d65e6
              • Opcode Fuzzy Hash: 04a4acfa95c88e62a88a7a646584f48f5524616d343fa46c8b4c30bf9b0a2c18
              • Instruction Fuzzy Hash: B5D19DB1800218DEDF21EFA5CC81BDEBBB8AF05308F5040DEE40967291DB795A89CF59
              Function 00429A5F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 275COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_
              • String ID: invalid string position$string too long
              • API String ID: 2427045233-4289949731
              • Opcode ID: 7dc31c4f10bf9b60b07c7bfff853ab7aa0fbe305854626b4ded37cc0424e083f
              • Instruction ID: 8a73ff5e416a9291c6b96d8d342a684788f4894b7ef7e4ce830982edfbbf6661
              • Opcode Fuzzy Hash: 7dc31c4f10bf9b60b07c7bfff853ab7aa0fbe305854626b4ded37cc0424e083f
              • Instruction Fuzzy Hash: 5FB1C171A00218AFCB24DF68E880BDDB7B4BF55314F6041AFE455A7291DBB8AE84CF54
              Function 00428D06 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 196COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00428D10
                • Part of subcall function 00411456: __EH_prolog3.LIBCMT ref: 0041145D
                • Part of subcall function 004297F6: __EH_prolog3_GS.LIBCMT ref: 004297FD
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 004202D0: __EH_prolog3_GS.LIBCMT ref: 004202D7
                • Part of subcall function 0048AA86: __EH_prolog3_GS.LIBCMT ref: 0048AA8D
                • Part of subcall function 0048AA86: RegQueryValueExW.ADVAPI32(?,?,00000000,00000008,00000000,?,0000005C,00428DF7,?,-80000001,?,?), ref: 0048AB02
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 00418F22: __EH_prolog3.LIBCMT ref: 00418F29
                • Part of subcall function 004193C8: __EH_prolog3.LIBCMT ref: 004193CF
                • Part of subcall function 00416071: SysStringLen.OLEAUT32(?), ref: 0041607E
                • Part of subcall function 00416071: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00416098
                • Part of subcall function 00419D16: __EH_prolog3_GS.LIBCMT ref: 00419D20
                • Part of subcall function 00419D16: SysStringLen.OLEAUT32(?), ref: 00419E46
                • Part of subcall function 00419D16: SysFreeString.OLEAUT32(?), ref: 00419E55
              Strings
              • UninstallString, xrefs: 00428D93
              • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00428DAA
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String$H_prolog3_$ErrorH_prolog3Last$Free$AllocQueryValue
              • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallString
              • API String ID: 1981213432-2644134543
              • Opcode ID: 507aa56dd7e3924662d72dc0556da43da3d559802b5d1a06cca5ff7a80688a5a
              • Instruction ID: 996790d93901a9a3104252da73b9e926aca7df2231bfd86b1c6d15656fefad90
              • Opcode Fuzzy Hash: 507aa56dd7e3924662d72dc0556da43da3d559802b5d1a06cca5ff7a80688a5a
              • Instruction Fuzzy Hash: FA81E430A04258EEDB14DBA4CC51BEDB7B8AF15304F5440DEE149A7192DBB85F88CB65
              Function 00428FFA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 181COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00429004
                • Part of subcall function 004287A2: RegOpenKeyExW.ADVAPI32(80000001,Software\InstallShield\ISWI\7.0\SetupExeLog,00000000,00000001,?), ref: 004287BC
                • Part of subcall function 004287A2: RegQueryValueExW.ADVAPI32(?,SetupLogFileName,00000000,00000000,004EF8A8,?), ref: 004287E2
                • Part of subcall function 004287A2: RegCloseKey.ADVAPI32(?), ref: 004287FD
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
                • Part of subcall function 00442378: __EH_prolog3_GS.LIBCMT ref: 00442382
                • Part of subcall function 00442378: GetModuleFileNameW.KERNEL32(00000000,?,00000400,004CBE7C,?,00000001), ref: 004424E3
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 004160CC: __EH_prolog3.LIBCMT ref: 004160D3
                • Part of subcall function 00416071: SysStringLen.OLEAUT32(?), ref: 0041607E
                • Part of subcall function 00416071: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00416098
                • Part of subcall function 00450202: lstrlenW.KERNEL32(?,?,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F,00000000,000008A8,00428637), ref: 0045020A
                • Part of subcall function 00450202: lstrcpynW.KERNEL32(?,?,-00000001,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F,00000000,000008A8), ref: 0045022E
                • Part of subcall function 00450202: lstrcatW.KERNEL32(?,?,?,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F,00000000,000008A8), ref: 0045024B
                • Part of subcall function 00411BD3: __EH_prolog3_GS.LIBCMT ref: 00411BDA
                • Part of subcall function 00411BD3: GetLastError.KERNEL32(00000038,004212CA), ref: 00411BE1
                • Part of subcall function 00411BD3: SetLastError.KERNEL32(00000000), ref: 00411C37
                • Part of subcall function 00429B98: __EH_prolog3_GS.LIBCMT ref: 00429BA2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorH_prolog3_Last$String$AllocCloseFileH_prolog3ModuleNameOpenQueryValue_malloclstrcatlstrcpynlstrlen
              • String ID: /f1$Setup.iss
              • API String ID: 794928986-1350328100
              • Opcode ID: 532ac29129bc8d2c9aa78481670c90d8123c44a5f474075fcff7d65c818c1dd0
              • Instruction ID: 23d0b27522ef55a72bc1355e4bfdb9667de6847e5f0314e8b58d41f5b01bae2b
              • Opcode Fuzzy Hash: 532ac29129bc8d2c9aa78481670c90d8123c44a5f474075fcff7d65c818c1dd0
              • Instruction Fuzzy Hash: 2181D270A05358EEDB10EB65C855BDDBB74AF06308F0040EEE40967692DB789F88CF5A
              Function 0044A1FA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044A204
                • Part of subcall function 0044A491: __EH_prolog3_GS.LIBCMT ref: 0044A498
                • Part of subcall function 00411456: __EH_prolog3.LIBCMT ref: 0041145D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$H_prolog3
              • String ID: %20$file://
              • API String ID: 3952504126-2765206336
              • Opcode ID: 42a61a836a460c1773bc6728de3dbf09bfc26bb5d038c7889458afc4c4423807
              • Instruction ID: 1025783e9974ab601c6d4c5fd66d14e7b808a7b83828c77711fb00a2cd57c17a
              • Opcode Fuzzy Hash: 42a61a836a460c1773bc6728de3dbf09bfc26bb5d038c7889458afc4c4423807
              • Instruction Fuzzy Hash: 71617E71A10218EEDB10EB94CC91BEEB3B8BF51308F50409EE545A7191EB785E49CB6A
              Function 0048D5F2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch_GS.LIBCMT ref: 0048D5FC
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
                • Part of subcall function 0048D854: __EH_prolog3_catch_GS.LIBCMT ref: 0048D85E
                • Part of subcall function 0048D854: EnterCriticalSection.KERNEL32(00000090,0048D67D,?,00000000), ref: 0048D86E
                • Part of subcall function 0048D854: _strncpy.LIBCMT ref: 0048D89B
                • Part of subcall function 0048D854: lstrlenA.KERNEL32(00000000), ref: 0048D8A4
                • Part of subcall function 0048D854: LeaveCriticalSection.KERNEL32(004BAB98,40000000,00000001,00000080,00000004,00000000,00000000,004EEC44,00000000), ref: 0048D97F
                • Part of subcall function 004160CC: __EH_prolog3.LIBCMT ref: 004160D3
                • Part of subcall function 00416071: SysStringLen.OLEAUT32(?), ref: 0041607E
                • Part of subcall function 00416071: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00416098
              • vswprintf.LIBCMT ref: 0048D6B1
                • Part of subcall function 0049E204: __vsnwprintf_l.LIBCMT ref: 0049E215
                • Part of subcall function 00411BD3: __EH_prolog3_GS.LIBCMT ref: 00411BDA
                • Part of subcall function 00411BD3: GetLastError.KERNEL32(00000038,004212CA), ref: 00411BE1
                • Part of subcall function 00411BD3: SetLastError.KERNEL32(00000000), ref: 00411C37
                • Part of subcall function 00416956: __EH_prolog3.LIBCMT ref: 0041695D
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                • Part of subcall function 00411357: __EH_prolog3.LIBCMT ref: 0041135E
                • Part of subcall function 00411357: GetLastError.KERNEL32(00000004,00411629,00000000,?,00000000,00000004,0041643B,-00000004,?,00000001,?,00000000), ref: 00411380
                • Part of subcall function 00411357: SetLastError.KERNEL32(?,00000000,?), ref: 004113C1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$H_prolog3String$CriticalFreeH_prolog3_catch_Section$AllocEnterH_prolog3_Leave__vsnwprintf_l_strncpylstrlenvswprintf
              • String ID: %ls|%ls|
              • API String ID: 3346502862-2729876737
              • Opcode ID: 45990849768a6e58878ec58c019a2de5cc48ba6026cee19479f00a8fbba0427a
              • Instruction ID: c2ebecdeceaa8a65ee4d276d9507130f3b1d94c032040f7dac1b1203baf33966
              • Opcode Fuzzy Hash: 45990849768a6e58878ec58c019a2de5cc48ba6026cee19479f00a8fbba0427a
              • Instruction Fuzzy Hash: 68517F719012089EDB11EFA2CD52FDDB7B8AF15304F6001AEF90667192DB786B48CF65
              Function 0042C992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 152COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0042C99C
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 0044561A: __EH_prolog3_GS.LIBCMT ref: 00445624
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeH_prolog3_String
              • String ID: Startup$pjK
              • API String ID: 2608676048-1874063272
              • Opcode ID: d983e02ed487ca36152ddcd1a443249bbdf781cc4662a928546e5d796c3fbf23
              • Instruction ID: 21b890647f4dd841a74faa489e777e7b141d4670569d5e9404daa2619a7dfbdd
              • Opcode Fuzzy Hash: d983e02ed487ca36152ddcd1a443249bbdf781cc4662a928546e5d796c3fbf23
              • Instruction Fuzzy Hash: E7516F31900168EADB10EBA0CC45BEEB778AF55308F5440AEF405B71D2DB786F49CBA9
              Function 00485C52 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141timeCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00485C59
              • CompareFileTime.KERNEL32(?,00000000,?,?,PSTORES.EXE,00000000,00000000,?,?,0000006C,0048BECB,004881FF,?,?), ref: 00485DB1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CompareFileH_prolog3Time
              • String ID: PSTORES.EXE
              • API String ID: 2703394530-1209905799
              • Opcode ID: 9e48f2fd7d98b77ff11df21dc4d84d3ab372e45f9cf6231faec08fb8483e1fa2
              • Instruction ID: b55e2bada13ccbf99d5522f1a361a055fffed17e312ed3545b1d4983e41cb188
              • Opcode Fuzzy Hash: 9e48f2fd7d98b77ff11df21dc4d84d3ab372e45f9cf6231faec08fb8483e1fa2
              • Instruction Fuzzy Hash: 5A511D72D0064DAFCF11EFE4C8849EEBBB8AF04314F14555BE901B7241DB38AA49CB69
              Function 0043B9FC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0043BA06
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 0043C2A0: __EH_prolog3.LIBCMT ref: 0043C2A7
                • Part of subcall function 00446705: __EH_prolog3_catch_GS.LIBCMT ref: 0044670F
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                • Part of subcall function 00418968: __EH_prolog3_GS.LIBCMT ref: 0041896F
                • Part of subcall function 0044520D: __EH_prolog3_GS.LIBCMT ref: 00445214
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeString$H_prolog3_$H_prolog3H_prolog3_catch_
              • String ID: ProductCode$UpgradeCode
              • API String ID: 1645201819-492229846
              • Opcode ID: a9868291f9f689e6173c62ff97276c28a0a5cc15adc3215e0a67d2b03a591f2a
              • Instruction ID: dd2400b9dcb1e7f3bbb04b659ad43ba58782946e82ab64f8a8e2a378ac6d822f
              • Opcode Fuzzy Hash: a9868291f9f689e6173c62ff97276c28a0a5cc15adc3215e0a67d2b03a591f2a
              • Instruction Fuzzy Hash: B451BF31A00258EEDF14EBA0C891BEEB775BF15304F54409EE145AB1C2DB78AB48CF96
              Function 00405AF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memmove
              • String ID: invalid string position$string too long
              • API String ID: 4104443479-4289949731
              • Opcode ID: 399f6a88b1344059975f47123c8ee0826764bff0a952d80606d10aa112f0a61a
              • Instruction ID: 45089f8e1321aee7a868f0ce78776c41e9a9e44addc499ff451e28484435e445
              • Opcode Fuzzy Hash: 399f6a88b1344059975f47123c8ee0826764bff0a952d80606d10aa112f0a61a
              • Instruction Fuzzy Hash: 0F31C0323047108BD7209E5CA880B5BF7B9EB92761F100A3FE4419B2D2D7B5B840CBE9
              Function 0045AE3A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00456505: __getptd_noexit.LIBCMT ref: 00456505
              • __getbuf.LIBCMT ref: 0045AED1
              • __lseeki64.LIBCMT ref: 0045AF41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: __getbuf__getptd_noexit__lseeki64
              • String ID: F8@
              • API String ID: 3311320906-3927299339
              • Opcode ID: eeebf0fdaf1de530af12c10c4b043aefd8f2a6853514bafd70ec7825ff78a035
              • Instruction ID: fc218469af38437fe7c957a648355e26bd07f14e0639f51d801a7c3ba1dc723a
              • Opcode Fuzzy Hash: eeebf0fdaf1de530af12c10c4b043aefd8f2a6853514bafd70ec7825ff78a035
              • Instruction Fuzzy Hash: E94103B21007059FD3248F2AC852A7B77E49B45335B14871FE8AA873D2E73CE8158B1B
              Function 00407470 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memmove
              • String ID: invalid string position$string too long
              • API String ID: 4104443479-4289949731
              • Opcode ID: a8b71ee6723aa2695697c3f330e166091df1d258e58eb69e0a9d550f40bf270a
              • Instruction ID: 11bd72ca48a031efb0dd4b13d17691aa3ea4fd33dafee7699969f1f266a395c7
              • Opcode Fuzzy Hash: a8b71ee6723aa2695697c3f330e166091df1d258e58eb69e0a9d550f40bf270a
              • Instruction Fuzzy Hash: CC319D32708314ABC7249E28E88089BF3AAEF91751310062FE405D7691EB75F8558BAA
              Function 00447B7A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3__memset
              • String ID: Setup.bmp
              • API String ID: 3055368530-70249682
              • Opcode ID: dd4cdf87f96173d246f66a3da6b99489f6939edafbf8c67d52f14c620339c6a7
              • Instruction ID: e1cb68a754997a521ce23258f1e7cd533aa6fe3101418b3afc0902fd5092131f
              • Opcode Fuzzy Hash: dd4cdf87f96173d246f66a3da6b99489f6939edafbf8c67d52f14c620339c6a7
              • Instruction Fuzzy Hash: 46410B70900219AAEF20EB658C86BEF73F8BF00304F0485AFA559D7181DB789F858F95
              Function 00432DEB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00432DF5
                • Part of subcall function 00403B80: GetLastError.KERNEL32 ref: 00403B9F
                • Part of subcall function 00403B80: SetLastError.KERNEL32(?), ref: 00403BCF
                • Part of subcall function 00431C33: __EH_prolog3_GS.LIBCMT ref: 00431C3D
                • Part of subcall function 00431C33: VariantChangeType.OLEAUT32(?,?,00000000,00000002), ref: 00431C87
                • Part of subcall function 00431C33: VariantClear.OLEAUT32(?), ref: 00431E56
              • _memset.LIBCMT ref: 00432EC3
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                • Part of subcall function 00403F40: GetLastError.KERNEL32(17703A82,?,?,?,?,004B39A8,000000FF), ref: 00403F82
                • Part of subcall function 00403F40: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004B39A8,000000FF), ref: 00403FDE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$FreeH_prolog3_StringVariant$ChangeClearType_memset
              • String ID: Version
              • API String ID: 751381712-1889659487
              • Opcode ID: 2004a63a845c92062c7008de2bc93b0399ea2a7cc8d46fee28d6a8eafd131aa4
              • Instruction ID: aea659b1985cd06f6563f00114d48000e0287042f584fdf44c33397807d8d769
              • Opcode Fuzzy Hash: 2004a63a845c92062c7008de2bc93b0399ea2a7cc8d46fee28d6a8eafd131aa4
              • Instruction Fuzzy Hash: 24516C71905258AEDB60DB64CD89BDEB7B8AF14308F1001EAA109A7191DF785F88CF95
              Function 004078C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00407350: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00407399
                • Part of subcall function 00407350: _memmove.LIBCMT ref: 004073C1
                • Part of subcall function 00407350: SysFreeString.OLEAUT32 ref: 004073D1
              • _memmove.LIBCMT ref: 00407975
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String_memmove$AllocFree
              • String ID: invalid string position$string too long
              • API String ID: 105348488-4289949731
              • Opcode ID: ba14bb7306ad4702a0cf6c42f02120b30645d3c284bd0ffb9a519ee9a66e68a3
              • Instruction ID: 49ec8d185e619d71a97fa880e0532ad9c770d01cb53663dc63d3a65998fd8033
              • Opcode Fuzzy Hash: ba14bb7306ad4702a0cf6c42f02120b30645d3c284bd0ffb9a519ee9a66e68a3
              • Instruction Fuzzy Hash: 8931EF727083049BD724DE6CE88081AB3EAEF91710320093FE451DB291DB75E844C7AA
              Function 0042F0FC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0042F106
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 00432AD8: __EH_prolog3.LIBCMT ref: 00432ADF
                • Part of subcall function 004202D0: __EH_prolog3_GS.LIBCMT ref: 004202D7
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorFreeH_prolog3H_prolog3_LastString
              • String ID: Extracting resource: %s$msiaction.cpp
              • API String ID: 262529356-4212155731
              • Opcode ID: 817a24f0ce62d888940d0a2e5fbc6935d51e253b0ba55c161b59eb2ab713c514
              • Instruction ID: 96fc52978078266506b1a5bc25af4e30483579c623127dd046450794d5cdc67b
              • Opcode Fuzzy Hash: 817a24f0ce62d888940d0a2e5fbc6935d51e253b0ba55c161b59eb2ab713c514
              • Instruction Fuzzy Hash: 1D41A030900258DEDB14EBA5CC55BEDB7B4BF11308F5080AEE445B71A2DB786F48CB65
              Function 00443CD9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00443CE3
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 00432AD8: __EH_prolog3.LIBCMT ref: 00432ADF
                • Part of subcall function 00420B07: __EH_prolog3_GS.LIBCMT ref: 00420B11
              Strings
              • C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}, xrefs: 00443DBD
              • %s: %s, xrefs: 00443D64
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorH_prolog3_Last$H_prolog3
              • String ID: %s: %s$C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}
              • API String ID: 3076002782-694142786
              • Opcode ID: d1da23b8d8b3e15a84b923edcf91413c12e72188f4a707507fdb2248dd6c8eab
              • Instruction ID: d8e03f9ec0860c54ecc495629729bf857051901b755657d5b5d8208d3726041a
              • Opcode Fuzzy Hash: d1da23b8d8b3e15a84b923edcf91413c12e72188f4a707507fdb2248dd6c8eab
              • Instruction Fuzzy Hash: C241AE30900258DEDF14EBA4C895BDDBBB4AF15308F5440AEE409B7292DB786F48CBA5
              Function 00406E30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
              Download Yara Rule
              APIs
              • _memmove.LIBCMT ref: 00406E8C
              • SysFreeString.OLEAUT32 ref: 00406E98
                • Part of subcall function 00407350: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00407399
                • Part of subcall function 00407350: _memmove.LIBCMT ref: 004073C1
                • Part of subcall function 00407350: SysFreeString.OLEAUT32 ref: 004073D1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String$Free_memmove$Alloc
              • String ID: string too long
              • API String ID: 2303858246-2556327735
              • Opcode ID: 533052cea4207016eef6b85b59a558deb7d25f580983b99e3580f7a6aeb8f607
              • Instruction ID: 1171f5bb7f37c25ad5fd3d2ffcffcdeefd7cb78bd9e9df7006f49018e8262446
              • Opcode Fuzzy Hash: 533052cea4207016eef6b85b59a558deb7d25f580983b99e3580f7a6aeb8f607
              • Instruction Fuzzy Hash: D021F6362107045BC720DF79EC8096B73E9EF95321B114E3FE886D7681D778E55887A8
              Function 0042A84A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0042A854
              • CreateDialogIndirectParamW.USER32(?,00000000,?,?,?), ref: 0042A94D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: CreateDialogH_prolog3_IndirectParam
              • String ID: MS Sans Serif
              • API String ID: 2249790658-168460110
              • Opcode ID: fcc007d9af22e23ddec7c6d4db6f9e7a2b8b0fcc17153fcfd641f084f5863615
              • Instruction ID: a8dfb28a66434f17e74ca71b9d6684329463ff422aea08c3a5c87157bf395300
              • Opcode Fuzzy Hash: fcc007d9af22e23ddec7c6d4db6f9e7a2b8b0fcc17153fcfd641f084f5863615
              • Instruction Fuzzy Hash: 4F31A270900269DFCF14EFA4C845BDEBBB4BF14308F50009EE945A7292EB789E54CBA5
              Function 00420DB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00420DBB
              • DialogBoxIndirectParamW.USER32(00000000,00000000,?,?,?), ref: 00420EA9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: DialogH_prolog3_IndirectParam
              • String ID: MS Sans Serif
              • API String ID: 1500191164-168460110
              • Opcode ID: 66f379f87402d5bb9c9c8d34958e6c21375fdf7118f66df31c932acff631a3d5
              • Instruction ID: f92bd521c576cf7b97fa2abca9c1239765f8d731a777c8378bdf00d20d26d108
              • Opcode Fuzzy Hash: 66f379f87402d5bb9c9c8d34958e6c21375fdf7118f66df31c932acff631a3d5
              • Instruction Fuzzy Hash: 24318D70900128DBDF14EFA5C855BDEBBB4BF15308F50409EE981A7292DB78AE54CBA4
              Function 00407590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
              Download Yara Rule
              APIs
              • _memmove.LIBCMT ref: 004075EC
              • SysFreeString.OLEAUT32(00000000), ref: 004075F8
                • Part of subcall function 00407B20: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00407B69
                • Part of subcall function 00407B20: _memmove.LIBCMT ref: 00407B91
                • Part of subcall function 00407B20: SysFreeString.OLEAUT32(004EF46C), ref: 00407BA1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String$Free_memmove$Alloc
              • String ID: string too long
              • API String ID: 2303858246-2556327735
              • Opcode ID: 47a3fb31598723f775ff23b096b8043c5be1b2786e3507f6f47f5a9e2a48c5bf
              • Instruction ID: 4830da282ae58dd7eb7600c9638efe6c30f9d51c0ac19a553cea744588c64195
              • Opcode Fuzzy Hash: 47a3fb31598723f775ff23b096b8043c5be1b2786e3507f6f47f5a9e2a48c5bf
              • Instruction Fuzzy Hash: DB11DF72614B006BC720DE6CEC8496A73E9EB95320B104E3FE486D7290D639F4488769
              Function 00483950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_catch_GS.LIBCMT ref: 0048395A
                • Part of subcall function 004425B2: __EH_prolog3.LIBCMT ref: 004425B9
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
                • Part of subcall function 0044859C: __EH_prolog3.LIBCMT ref: 004485A3
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                • Part of subcall function 0044287A: __EH_prolog3.LIBCMT ref: 00442881
              • __CxxThrowException@8.LIBCMT ref: 00483A19
                • Part of subcall function 00454622: RaiseException.KERNEL32(?,?,00452D08,00000000,?,?,?,?,00452D08,00000000,004E40A8,?), ref: 00454673
                • Part of subcall function 00442C65: __EH_prolog3.LIBCMT ref: 00442C6C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3$ErrorLast$FreeString$ExceptionException@8H_prolog3_catch_RaiseThrow
              • String ID:
              • API String ID: 1995314774-3916222277
              • Opcode ID: cf7afb7775b6589fcabd1423c7a6e83d1ee7b979c2239c87549bd8c7718dba10
              • Instruction ID: 88a5b8825a9eb37de79992128bd62032657dc0f0fce82855f120b8488c6507f5
              • Opcode Fuzzy Hash: cf7afb7775b6589fcabd1423c7a6e83d1ee7b979c2239c87549bd8c7718dba10
              • Instruction Fuzzy Hash: 7C318230800248A9EB14EFE1C895BDDB7786F15748F54409FF94667182EBB85B48CB69
              Function 004245C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 004245D0
                • Part of subcall function 00403E30: GetLastError.KERNEL32 ref: 00403E4F
                • Part of subcall function 00403E30: SetLastError.KERNEL32(?), ref: 00403E7F
                • Part of subcall function 004160CC: __EH_prolog3.LIBCMT ref: 004160D3
                • Part of subcall function 00416071: SysStringLen.OLEAUT32(?), ref: 0041607E
                • Part of subcall function 00416071: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00416098
              • GetModuleFileNameW.KERNEL32(00000000,00000400,?,00000400), ref: 0042463A
                • Part of subcall function 00411BD3: __EH_prolog3_GS.LIBCMT ref: 00411BDA
                • Part of subcall function 00411BD3: GetLastError.KERNEL32(00000038,004212CA), ref: 00411BE1
                • Part of subcall function 00411BD3: SetLastError.KERNEL32(00000000), ref: 00411C37
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
                • Part of subcall function 00416398: __EH_prolog3_GS.LIBCMT ref: 004163A2
                • Part of subcall function 004202D0: __EH_prolog3_GS.LIBCMT ref: 004202D7
                • Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00415457,00000000,?,00000000,?,00000001,00000044,004152EA,004CC0A0,?,00000000,00000000,00000040,004115AA), ref: 00401B8F
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
                • Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
                • Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4
                • Part of subcall function 00411456: __EH_prolog3.LIBCMT ref: 0041145D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$H_prolog3_String$H_prolog3$Free$AllocFileModuleName
              • String ID: ISSetup.dll
              • API String ID: 4249000290-2131771917
              • Opcode ID: 86be830bd4c238c3d995f1a81b98030c84b6011a6f3fc12c0ef44f824060dc6e
              • Instruction ID: 8e540b64a6dbab8cb09f82de46371af071c0b47a8f519026479a84092fe3da81
              • Opcode Fuzzy Hash: 86be830bd4c238c3d995f1a81b98030c84b6011a6f3fc12c0ef44f824060dc6e
              • Instruction Fuzzy Hash: 0631AE71800158EACB11EBA5CC95BDEBBB8AF55308F0040DEE10AB7192DB781F49CB69
              Function 0044859C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 004485A3
                • Part of subcall function 004481F1: __EH_prolog3_GS.LIBCMT ref: 004481FB
                • Part of subcall function 004481F1: InterlockedDecrement.KERNEL32(00000000), ref: 0044820B
                • Part of subcall function 004481F1: CloseHandle.KERNEL32(000000FF), ref: 00448233
                • Part of subcall function 004481F1: __CxxThrowException@8.LIBCMT ref: 0044826C
                • Part of subcall function 00455577: _malloc.LIBCMT ref: 0045558F
                • Part of subcall function 00455577: std::exception::exception.LIBCMT ref: 004555AB
                • Part of subcall function 00455577: __CxxThrowException@8.LIBCMT ref: 004555C0
              • GetLastError.KERNEL32(000000FF,00000000,80400100,?,00000000,00484A59,004BAB98,80000000,00000001,00000080,00000003,00000000,00000000,?,00000000,00000084), ref: 0044867E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Exception@8Throw$CloseDecrementErrorH_prolog3H_prolog3_HandleInterlockedLast_mallocstd::exception::exception
              • String ID: toys::file
              • API String ID: 2011250969-314977804
              • Opcode ID: 1d4740e08ef5bb5a3c17fc487ec6247a577b76dca29218f81851b30a501c6adf
              • Instruction ID: d392307cf3192cbaca18647cbec9a0358906be2c6d31d0dab187915d4337299c
              • Opcode Fuzzy Hash: 1d4740e08ef5bb5a3c17fc487ec6247a577b76dca29218f81851b30a501c6adf
              • Instruction Fuzzy Hash: 4B212130600305AFEF14AF658881A6E37A6BF05348F00442FF9169B292DF3CDC119B5D
              Function 00431A1F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00431A29
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 0044561A: __EH_prolog3_GS.LIBCMT ref: 00445624
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                • Part of subcall function 00443EAF: __EH_prolog3_GS.LIBCMT ref: 00443EB9
                • Part of subcall function 00450202: lstrlenW.KERNEL32(?,?,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F,00000000,000008A8,00428637), ref: 0045020A
                • Part of subcall function 00450202: lstrcpynW.KERNEL32(?,?,-00000001,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F,00000000,000008A8), ref: 0045022E
                • Part of subcall function 00450202: lstrcatW.KERNEL32(?,?,?,?,00447A1B,004F2640,?,004F2EDC,?,?,004199BE,00000000,00000001,0000044F,00000000,000008A8), ref: 0045024B
              Strings
              • C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}, xrefs: 00431B07
              • CertKey, xrefs: 00431A68
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$H_prolog3_$FreeString$lstrcatlstrcpynlstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}$CertKey
              • API String ID: 1153083858-2763442961
              • Opcode ID: 45d24bfc29bdb978259442e680b6e8c277ea6d8f9436244e4118b7ebdf4fe40c
              • Instruction ID: cc08a478d0d202e7970e6b9d1655134fa035d6145339f874eb984ae37301052e
              • Opcode Fuzzy Hash: 45d24bfc29bdb978259442e680b6e8c277ea6d8f9436244e4118b7ebdf4fe40c
              • Instruction Fuzzy Hash: 7F315030A10208EADB10EBA5CC41BDDB7B8AF94304F5440AFF505B7191DB785B48CB65
              Function 004354A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_
              • String ID: dotnetredist.exe
              • API String ID: 2427045233-357393476
              • Opcode ID: ae9b5a70059955adf88c099bf684837ce14d4cc6885603e3b30e8fb6a5e2363e
              • Instruction ID: e327337c450b3bcca3847fbc3813f708cfc43e725063af49e895c06f49c852d7
              • Opcode Fuzzy Hash: ae9b5a70059955adf88c099bf684837ce14d4cc6885603e3b30e8fb6a5e2363e
              • Instruction Fuzzy Hash: F2319571900228EADF20EA65CC5DBDDB3B8AB14704F5041EAE909A7191DB385F89CF95
              Function 00484E75 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00484E7C
                • Part of subcall function 004166AC: __EH_prolog3_GS.LIBCMT ref: 004166B6
                • Part of subcall function 00441DD7: __EH_prolog3_GS.LIBCMT ref: 00441DDE
                • Part of subcall function 00411254: __EH_prolog3.LIBCMT ref: 0041125B
                • Part of subcall function 00411254: GetLastError.KERNEL32(00000004,00411484,00000000,00000000,00000004,004152FC,?,00000001,00411C1B,00000000), ref: 0041127D
                • Part of subcall function 00411254: SetLastError.KERNEL32(?,00000000), ref: 004112BD
                • Part of subcall function 00489A20: __EH_prolog3_GS.LIBCMT ref: 00489A27
              Strings
              • .EXE, xrefs: 00484E95
              • SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00484EF4
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$ErrorLast$H_prolog3
              • String ID: .EXE$SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
              • API String ID: 3033373895-4260402741
              • Opcode ID: 6b637be313911ddf3db7b1b90c63eed1077658fb2ca0b07143e259c09c1a1fed
              • Instruction ID: d42e280691c7ca67b04279af6b3f4a8de498a70233ed58b46f547e6e90cefb21
              • Opcode Fuzzy Hash: 6b637be313911ddf3db7b1b90c63eed1077658fb2ca0b07143e259c09c1a1fed
              • Instruction Fuzzy Hash: 1E2129B4901104AACB00FFA6C856BDE7BA89F56348F50005FF9099B252E77D4A4AC7D9
              Function 0040FBE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _sprintf_strlen
              • String ID: %02X
              • API String ID: 3493289842-436463671
              • Opcode ID: 6b6f79bcf3d090b5ef0d23c084427cdd92fd733390c57c74bda61791e7a6769f
              • Instruction ID: 8c634330f26b795316368b01b96717fa154e5b38e665e0237d969b8a575f3ae4
              • Opcode Fuzzy Hash: 6b6f79bcf3d090b5ef0d23c084427cdd92fd733390c57c74bda61791e7a6769f
              • Instruction Fuzzy Hash: 831127364052197EDB126F65DC42CEF376DEF46349B20003BFD00A6142EA7E9A9997EC
              Function 00493086 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: Event
              • String ID: d
              • API String ID: 4201588131-2564639436
              • Opcode ID: a5af36bb03daad3ab22d1b0351482a7f3d3eaf21d7726a92ef0992f369cac2eb
              • Instruction ID: e9e03579f4e227a4e8b11ab5c866db5f39999e8f6e92fbd170ddd16e55d4e2f7
              • Opcode Fuzzy Hash: a5af36bb03daad3ab22d1b0351482a7f3d3eaf21d7726a92ef0992f369cac2eb
              • Instruction Fuzzy Hash: 82218831100205DFCF24CF14D845A66BBF0FB0A312F10887AE9468B271C776EA46CB8A
              Function 00428602 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0042860C
                • Part of subcall function 00418FA2: __EH_prolog3.LIBCMT ref: 00418FA9
                • Part of subcall function 00419949: __EH_prolog3_GS.LIBCMT ref: 00419953
              • lstrcpyW.KERNEL32(?,00000000,00000452,?,00000218,004288DB,?,0000043C,0040F9AC,?), ref: 00428668
              Strings
              • C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}, xrefs: 00428652
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_$H_prolog3lstrcpy
              • String ID: C:\Users\user\AppData\Local\Temp\{ACB5ABDE-1955-466A-9C3A-B1FFF8BB5CFB}
              • API String ID: 3469851533-255431040
              • Opcode ID: 855a6e89c8ba78a6e668ab4449bdeee9ccad4c889ded1a134ab9282b85b82e50
              • Instruction ID: 4c0fc84151ee55e430046002658f9d5494e6096a0fa3ac1fc7abc21d1a796a3e
              • Opcode Fuzzy Hash: 855a6e89c8ba78a6e668ab4449bdeee9ccad4c889ded1a134ab9282b85b82e50
              • Instruction Fuzzy Hash: EF11E1717012289BCB10FBA1DD96AEE33A4AB54304F5001AFF50597192DF7C9E81CB5C
              Function 00431B9D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 00431BA4
                • Part of subcall function 00402CA0: GetLastError.KERNEL32(17703A82,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402CF0
                • Part of subcall function 00402CA0: SetLastError.KERNEL32(?,004CBE7C,00000000,?,00000000,?,?,?,004B3A88,000000FF,?,00401F2D,InstallShield.log,?,00000001), ref: 00402D68
                • Part of subcall function 004457A9: __EH_prolog3_GS.LIBCMT ref: 004457B0
                • Part of subcall function 00401AC0: GetLastError.KERNEL32(?,00000000,004035F7,00000000,00000000,?,?,00000000,004CBE7C,?,00000001,?,00000000,000000FF,-00000004,?), ref: 00401ACF
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
                • Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
                • Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14
                • Part of subcall function 004354A1: __EH_prolog3_GS.LIBCMT ref: 004354AB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast$H_prolog3_$FreeString
              • String ID: Type$dotnetfx.exe
              • API String ID: 1274762985-1335848363
              • Opcode ID: 6be201562b3ac95e976c518578f926ce6d867f2f4da0d2119d30cc59714d876d
              • Instruction ID: 0531b84d92f30eca58fe9cf1eeaab68bd7925ab6cac754cde784c3e79e0431b7
              • Opcode Fuzzy Hash: 6be201562b3ac95e976c518578f926ce6d867f2f4da0d2119d30cc59714d876d
              • Instruction Fuzzy Hash: 5101C434A10218EBEB20E6A1CC52BED7368AF54358F24002FB501B71D2DBBD5E09CB59
              Function 0041FCB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 0041FCBB
                • Part of subcall function 0041FAD7: __EH_prolog3.LIBCMT ref: 0041FADE
                • Part of subcall function 0041FAD7: SysStringLen.OLEAUT32(?), ref: 0041FB12
              • SysStringLen.OLEAUT32(?), ref: 0041FCD8
                • Part of subcall function 0041DFC0: __EH_prolog3.LIBCMT ref: 0041DFC7
                • Part of subcall function 0041DFC0: GetLastError.KERNEL32(00000004,0041E18C), ref: 0041DFE4
                • Part of subcall function 0041DFC0: SysFreeString.OLEAUT32(?), ref: 0041DFF1
                • Part of subcall function 0041DFC0: SetLastError.KERNEL32(?), ref: 0041E00B
                • Part of subcall function 0041DFC0: GetLastError.KERNEL32 ref: 0041E01E
                • Part of subcall function 0041DFC0: SysFreeString.OLEAUT32(?), ref: 0041E043
                • Part of subcall function 0041DFC0: SetLastError.KERNEL32(?), ref: 0041E057
                • Part of subcall function 00420034: SysStringLen.OLEAUT32(00000000), ref: 00420044
                • Part of subcall function 0041E96E: __EH_prolog3.LIBCMT ref: 0041E975
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: String$ErrorH_prolog3Last$Free
              • String ID: .
              • API String ID: 941262072-248832578
              • Opcode ID: 9ed40d9600a276ea7cd8012fb1423f297307fc2966e6a1674fb774167baa2826
              • Instruction ID: b6a021ab73106ede6e11e8c74c7481deb1fee2b4af175e56c670098afa43d5a1
              • Opcode Fuzzy Hash: 9ed40d9600a276ea7cd8012fb1423f297307fc2966e6a1674fb774167baa2826
              • Instruction Fuzzy Hash: 8101D270910108ABDB00EF95DC84BFEB6B8EF01369F20422BB025A71D1CB7C4A45C7A5
              Function 00447DA6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
              Download Yara Rule
              APIs
              Strings
              • This setup was created with a BETA VERSION of %s, xrefs: 00447DC8
              • This setup was created with a EVALUATION VERSION of %s, xrefs: 00447E08
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3_
              • String ID: This setup was created with a BETA VERSION of %s$ This setup was created with a EVALUATION VERSION of %s
              • API String ID: 2427045233-3771001655
              • Opcode ID: a08e61bd1e41d47743dc43393e5a31b22b1ffe0d441559da7aaeef3ff18678e6
              • Instruction ID: 09c63707e2caba068300fe0376f6090ca1dc965c21cc20a451eb5a7a40567719
              • Opcode Fuzzy Hash: a08e61bd1e41d47743dc43393e5a31b22b1ffe0d441559da7aaeef3ff18678e6
              • Instruction Fuzzy Hash: 7F11E170A04244AEFB14EBA5CC52FED7764AB00718F60418EF1816B1D2DBBC5E4AC748
              Function 0042E5E6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0042E61F
                • Part of subcall function 00450D2A: lstrcpyW.KERNEL32(000003FE,004CBE7C,?), ref: 00450D68
                • Part of subcall function 00450D2A: lstrcpyW.KERNEL32(00000000,004CBE7C), ref: 00450D70
                • Part of subcall function 00450D2A: _malloc.LIBCMT ref: 00450D8A
                • Part of subcall function 00450D2A: _memset.LIBCMT ref: 00450D9B
                • Part of subcall function 00450D2A: _memset.LIBCMT ref: 00450DC6
                • Part of subcall function 00450D2A: wsprintfW.USER32 ref: 00450E18
                • Part of subcall function 00450D2A: _memset.LIBCMT ref: 00450E30
                • Part of subcall function 004519EB: lstrcpyW.KERNEL32(?,@&O,00000000), ref: 00451A24
                • Part of subcall function 004519EB: lstrcpyW.KERNEL32(?,00000001), ref: 00451A2E
                • Part of subcall function 004519EB: _swscanf.LIBCMT ref: 00451AA3
                • Part of subcall function 004519EB: _swscanf.LIBCMT ref: 00451ACC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: _memsetlstrcpy$_swscanf$_mallocwsprintf
              • String ID: 4.70.0.1300$WinInet.dll
              • API String ID: 3061408237-898075288
              • Opcode ID: 4fc91f009e82ab679f27e05b307f319a50a8255dcae43b9694d0fc4de1c4f45d
              • Instruction ID: c8900d03f9d7970effcd9c5415abb580ff2405b102a69ef0c24f4d8f0f1f6616
              • Opcode Fuzzy Hash: 4fc91f009e82ab679f27e05b307f319a50a8255dcae43b9694d0fc4de1c4f45d
              • Instruction Fuzzy Hash: FEF0AEB560020867D724EBA59D42DDB73FC9B45705F00016FBA01E3182DB78AA45C75D
              Function 0044A50B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044A512
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3H_prolog3_
              • String ID: X$A$ftp://
              • API String ID: 3355343447-1633733951
              • Opcode ID: 36f212b16d7336c21a7e22e641b25fbc5f7a8ebda803c4cf9af1820d77d63c43
              • Instruction ID: 820067bee7d78827f4d02fa7f9419ef72dd2f913f4e490609ebdc6016019bf3d
              • Opcode Fuzzy Hash: 36f212b16d7336c21a7e22e641b25fbc5f7a8ebda803c4cf9af1820d77d63c43
              • Instruction Fuzzy Hash: 23014C71D01208EECB28DFE9C9915DEBBB4AF01324F60822EE076A6191E7385A06CB14
              Function 0044A5FF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044A606
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3H_prolog3_
              • String ID: X$A$https://
              • API String ID: 3355343447-1114710999
              • Opcode ID: 7b4466e8e75e8610d5512a5a09589eb7567b6adcbef61136611379b7cf8307ac
              • Instruction ID: 69a7e23b8feb0621386ad6f322b62b29e044bdd9b7ab9fd87bb4e5ef98d52d03
              • Opcode Fuzzy Hash: 7b4466e8e75e8610d5512a5a09589eb7567b6adcbef61136611379b7cf8307ac
              • Instruction Fuzzy Hash: 9E015271D01208DFCB24DFE9D9915DEBBB4AF15314F60422EE076A2191D7385E06CB18
              Function 0044A585 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
              Download Yara Rule
              APIs
              • __EH_prolog3_GS.LIBCMT ref: 0044A58C
                • Part of subcall function 004115ED: __EH_prolog3.LIBCMT ref: 004115F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3H_prolog3_
              • String ID: X$A$http://
              • API String ID: 3355343447-2217712507
              • Opcode ID: 143aa65c0444c377015c2fdde047067629ce32dbc1db450c7e4cd7837b9971dd
              • Instruction ID: f41e450a8143f7fccbfe2e0cdcbfc037acaf434c470676d02e3f3f9b99daca96
              • Opcode Fuzzy Hash: 143aa65c0444c377015c2fdde047067629ce32dbc1db450c7e4cd7837b9971dd
              • Instruction Fuzzy Hash: DD015E71D01208EFCB28DFE9C9915DEBBB4AF01314F60826EE076A3191EB385E06DB14
              Function 0044661C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00446648
                • Part of subcall function 0041292E: __EH_prolog3_GS.LIBCMT ref: 00412935
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: H_prolog3__memset
              • String ID: PackageName$Startup
              • API String ID: 3055368530-2142348390
              • Opcode ID: c343ef40fd0c0c000c80bc1a3ea47b583dc2b1f8524a320fc8c87d10d45c5f1c
              • Instruction ID: eef758d6c8ab429fa5f631830679f044fdae4251a5e323d2f380f91755ce0f66
              • Opcode Fuzzy Hash: c343ef40fd0c0c000c80bc1a3ea47b583dc2b1f8524a320fc8c87d10d45c5f1c
              • Instruction Fuzzy Hash: D2F09CB5A40218A7D750EF249D43FDA73E8BB04704F11546AA645E21C1DE745E4C8788
              Function 00424CAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetProcAddress.KERNEL32(?,RunISMSISetup), ref: 00424CC1
              • GetLastError.KERNEL32 ref: 00424CCB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: AddressErrorLastProc
              • String ID: RunISMSISetup
              • API String ID: 199729137-1536503584
              • Opcode ID: 2ceae4c5ee959f91f74f8c06b8c740d23e7b16a1101eb11eabc2ab8339134179
              • Instruction ID: bdbba7cc632fab8abd800d8e6e4208364435b874bc61f14c8dbeb6632827614c
              • Opcode Fuzzy Hash: 2ceae4c5ee959f91f74f8c06b8c740d23e7b16a1101eb11eabc2ab8339134179
              • Instruction Fuzzy Hash: 5AF02B302262208FD7049B34FD44A7333E5FB95706B42417FEC0281610D73DE841D668
              Function 0046D92A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: NameName::
              • String ID: {flat}
              • API String ID: 1333004437-2606204563
              • Opcode ID: 5ddfbb4f7ac09c3ded9416ba70b94cccc7e0815a2d78cffa1ad231c107747060
              • Instruction ID: 8cb733b590c7699d7a9a50b448eea5dec32bb6a058dd1f21a1d41cc6df829b1e
              • Opcode Fuzzy Hash: 5ddfbb4f7ac09c3ded9416ba70b94cccc7e0815a2d78cffa1ad231c107747060
              • Instruction Fuzzy Hash: 58F0A0746003489FD700DF54D855BB63BE0DB41B59F04804AE54C0F352DA78D890CB8A
              Function 004940F8 Relevance: 5.0, APIs: 4, Instructions: 34COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,004940AE,?,?,?), ref: 004940FE
              • GetLastError.KERNEL32(?,?,004940AE,?,?,?), ref: 00494108
              • SetLastError.KERNEL32(00000000,?,?,004940AE,?,?,?), ref: 0049414A
              • SetLastError.KERNEL32(00000000,?,?,004940AE,?,?,?), ref: 00494154
              Memory Dump Source
              • Source File: 00000000.00000002.1702476697.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1702408407.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702617291.00000000004B6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702707347.00000000004F3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000526000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1702748830.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SureDI.jbxd
              Similarity
              • API ID: ErrorLast
              • String ID:
              • API String ID: 1452528299-0
              • Opcode ID: 409492ee8c4fdb6f73e902fdbbb1362120b545e43a903e454dd1771b7cea75d1
              • Instruction ID: 4a198b0929fe45faa688222bb570e8974f0c50e1ea6113ab889fc8589843ec22
              • Opcode Fuzzy Hash: 409492ee8c4fdb6f73e902fdbbb1362120b545e43a903e454dd1771b7cea75d1
              • Instruction Fuzzy Hash: 5FF0903010420497DF251F11DC0EB9A3FD5AB65715F14853BE825812A1CB7D88D3DB59