Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SPCapIQProOffice-1.0.24095.1.exe

Overview

General Information

Sample name:SPCapIQProOffice-1.0.24095.1.exe
Analysis ID:1428493
MD5:c09651c0422f8bb452b82232a454eee8
SHA1:b7ec43f40cb6f8895de76d658fc4e8b2ecbb3038
SHA256:dc5f345565aa2cc4dd0b446d96204cb9f7135757795370fd581ab4a9458d8b1d
Infos:

Detection

Score:24
Range:0 - 100
Whitelisted:false
Confidence:0%

Compliance

Score:52
Range:0 - 100

Signatures

Installs new ROOT certificates
Writes many files with high entropy
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample searches for specific file, try point organization specific fake files to the analysis machine

Process Tree

  • System is w10x64
  • SPCapIQProOffice-1.0.24095.1.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exe" MD5: C09651C0422F8BB452B82232A454EEE8)
    • SPCapIQProOffice-1.0.24095.1.exe (PID: 7336 cmdline: "C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe" -burn.clean.room="C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exe" -burn.filehandle.attached=532 -burn.filehandle.self=528 MD5: C09651C0422F8BB452B82232A454EEE8)
      • SPCapIQProOffice-1.0.24095.1.exe (PID: 7420 cmdline: "C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe" -q -burn.elevated BurnPipe.{22255B69-8FB0-4B58-9A37-96EAAA229CC0} {B6A53FD5-A31E-4AF8-BB77-CA62C452506E} 7336 MD5: C09651C0422F8BB452B82232A454EEE8)
        • vstor_redist.exe (PID: 7840 cmdline: "C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe" /i /q /norestart MD5: 72F6A267DE1FA813073DED67D952FD40)
          • Setup.exe (PID: 7728 cmdline: c:\e4b15374fbeb09b00c2ff6ea22\Setup.exe /i /q /norestart MD5: DC0E68D2F5C7894259FE7B78D6336CD8)
            • vstor40_x64.exe (PID: 2472 cmdline: vstor40_x64.exe /q MD5: 299A451E3DA67D8E661AE2F22F1ABC5B)
              • install.exe (PID: 2800 cmdline: c:\9e8b505ac5bf67d26cfba004c7a3fd\install.exe /q MD5: D2AC2D95581DB0D6B52757C2ED839E85)
  • SrTasks.exe (PID: 7928 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB)
    • conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • SPCapIQProOffice-1.0.24095.1.exe (PID: 6524 cmdline: "C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" /burn.runonce MD5: C09651C0422F8BB452B82232A454EEE8)
    • SPCapIQProOffice-1.0.24095.1.exe (PID: 7332 cmdline: "C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" /burn.log.append "C:\Users\user\AppData\Local\Temp\S&P_Capital_IQ_Pro_Office_20240419025210.log" MD5: C09651C0422F8BB452B82232A454EEE8)
      • SPCapIQProOffice-1.0.24095.1.exe (PID: 7396 cmdline: "C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" -burn.clean.room="C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /burn.log.append "C:\Users\user\AppData\Local\Temp\S&P_Capital_IQ_Pro_Office_20240419025210.log" MD5: C09651C0422F8BB452B82232A454EEE8)
        • SPCapIQProOffice-1.0.24095.1.exe (PID: 5404 cmdline: "C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" -q -burn.elevated BurnPipe.{F8907890-6A84-4345-B5A9-D02185C4BBD7} {C0D578AC-8A16-4B2B-B0EB-8A9283D46FE9} 7396 MD5: C09651C0422F8BB452B82232A454EEE8)
          • vstor_redist.exe (PID: 1076 cmdline: "C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe" /i /q /norestart MD5: 72F6A267DE1FA813073DED67D952FD40)
            • Setup.exe (PID: 5780 cmdline: c:\5dbc7bbf14917454e3442522d4a6\Setup.exe /i /q /norestart MD5: DC0E68D2F5C7894259FE7B78D6336CD8)
  • SrTasks.exe (PID: 7464 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2 MD5: 2694D2D28C368B921686FE567BD319EB)
    • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • msiexec.exe (PID: 5356 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7888 cmdline: c:\Windows\syswow64\MsiExec.exe -Embedding 50D0C51C5F29CB2F939D1D66AF46B8FD MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7000 cmdline: c:\Windows\System32\MsiExec.exe -Embedding 392B92B2C8922C55BB291E3DD13F1718 MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2912 cmdline: c:\Windows\syswow64\MsiExec.exe -Embedding 8B188487738B9071562D9EF7776E0846 M Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 848 cmdline: c:\Windows\System32\MsiExec.exe -Embedding 65B24CE328994E1BC77923B19C5082F3 E Global\MSI0000 MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2664 cmdline: c:\Windows\syswow64\MsiExec.exe -Embedding 417DB550FCDE732E3591759ED0C0D26B E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • ngen.exe (PID: 1340 cmdline: c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies MD5: 417D6EA61C097F8DF6FEF2A57F9692DF)
        • conhost.exe (PID: 1640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ngen.exe (PID: 2112 cmdline: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies MD5: B6C3FE33B436E5006514403824F17C66)
        • conhost.exe (PID: 4520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ngen.exe (PID: 5468 cmdline: c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies MD5: 417D6EA61C097F8DF6FEF2A57F9692DF)
        • conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ngen.exe (PID: 2996 cmdline: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies MD5: B6C3FE33B436E5006514403824F17C66)
        • conhost.exe (PID: 3344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ngen.exe (PID: 1808 cmdline: c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies MD5: 417D6EA61C097F8DF6FEF2A57F9692DF)
        • conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ngen.exe (PID: 3888 cmdline: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies MD5: B6C3FE33B436E5006514403824F17C66)
        • conhost.exe (PID: 4128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ngen.exe (PID: 8068 cmdline: c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies MD5: 417D6EA61C097F8DF6FEF2A57F9692DF)
        • conhost.exe (PID: 1664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ngen.exe (PID: 8128 cmdline: c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies MD5: B6C3FE33B436E5006514403824F17C66)
        • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ngen.exe (PID: 2992 cmdline: c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" /queue:3 /NoDependencies MD5: 417D6EA61C097F8DF6FEF2A57F9692DF)
        • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" /burn.runonce, EventID: 13, EventType: SetValue, Image: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe, ProcessId: 7420, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{56aa9754-57aa-4a26-a164-12075d94eb2e}

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0002A0BB DecryptFileW,0_2_0002A0BB
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0004FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,0_2_0004FA62
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00029E9E DecryptFileW,DecryptFileW,0_2_00029E9E
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0095A0BB DecryptFileW,1_2_0095A0BB
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0097FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,1_2_0097FA62
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_00959E9E DecryptFileW,DecryptFileW,1_2_00959E9E
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0068FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,2_2_0068FA62
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_00669E9E DecryptFileW,DecryptFileW,2_2_00669E9E
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0066A0BB DecryptFileW,2_2_0066A0BB
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0017A0BB DecryptFileW,11_2_0017A0BB
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0019FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,11_2_0019FA62
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_00179E9E DecryptFileW,DecryptFileW,11_2_00179E9E

Compliance

barindex
Uses 32bit PE files
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Creates a directory in C:\Program Files
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VC
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.ini
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\vstor40_x64.cab
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1025.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.2052.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1028.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1030.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1031.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1033.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.3082.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1035.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1036.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1037.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1040.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1041.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1042.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1043.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1044.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1045.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1046.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1049.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1053.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\globdata.ini
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.exe
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1025.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.2052.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1028.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1030.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1031.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1033.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.3082.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1035.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1036.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1037.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1040.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1041.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1042.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1043.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1044.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1045.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1046.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1049.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1053.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\vstor40_x64.MSI
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll
Creates a software restore point
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDoneJump to behavior
Creates install or setup log file
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft Visual Studio Tools for Office Runtime 2010 Setup_20240419_025312968-MSI_vc_red.msi.txt
Creates license or readme file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1033\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1025\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\2052\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1028\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1030\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1031\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\3082\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1035\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1036\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1037\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1040\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1041\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1042\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1043\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1044\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1045\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1046\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1049\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1053\eula.rtf
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1025.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.2052.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1028.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1030.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1031.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1033.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.3082.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1035.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1036.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1037.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1040.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1041.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1042.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1043.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1044.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1045.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1046.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1049.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1053.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1033.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.2052.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1028.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1031.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.3082.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1036.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1040.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1041.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1042.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1025.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1030.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1035.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1037.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1043.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1044.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1045.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1046.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1049.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1053.txt
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1033\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1025\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\2052\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1028\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1030\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1031\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\3082\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1035\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1036\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1037\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1040\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1041\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1042\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1043\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1044\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1045\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1046\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1049\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1053\eula.rtf
PE / OLE file has a valid certificate
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: certificate valid
Uses new MSVCR Dlls
Source: C:\Windows\System32\msiexec.exeFile opened: c:\Windows\SysWOW64\msvcr100.dll
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: D:\A\_work\681\a\WixBaDetectCapIqFunc.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2896800650.000000006CBF4000.00000002.00000001.01000000.0000000A.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2895086718.000000006C174000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: l!SNL.Clients.Office.PowerPoint.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2887871995.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l(itcxszeg.pdb|SNL.Clients.Office.Shim.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l.dsomi07c.pdb|SNL.Clients.Office.PowerPoint.pdbb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584704299.00000000010BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: !SNL.Clients.Office.PowerPoint.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SNL.Clients.Office.Excel.pdb!= source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\A\_work\681\a\WixBaDetectCapIqFunc.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2896800650.000000006CBF4000.00000002.00000001.01000000.0000000A.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2895086718.000000006C174000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: SNL.Clients.Office.Shim.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SNL.Clients.Office.Word.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l.dsomi07c.pdb|SNL.Clients.Office.PowerPoint.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2587094639.00000000010DB000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2887871995.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010DB000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Setup.pdb source: Setup.exe, 00000016.00000002.2599276952.0000000000851000.00000020.00000001.01000000.00000012.sdmp, Setup.exe, 00000016.00000000.2183636790.0000000000851000.00000020.00000001.01000000.00000012.sdmp, Setup.exe, 0000001D.00000000.2466014019.0000000000071000.00000020.00000001.01000000.0000001C.sdmp, Setup.exe, 0000001D.00000002.2574358507.0000000000071000.00000020.00000001.01000000.0000001C.sdmp
Source: Binary string: SNL.Clients.Office.Host.pdbM= source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\delivery\Dev\wix35\build\ship\x86\netfxca.pdb source: MSI6DC.tmp.23.dr
Source: Binary string: Microsoft.Office.Tools.Excel.v9.0.pdbP source: 44aaf8.rbf.23.dr
Source: Binary string: sqmapi.pdb source: Setup.exe, 00000016.00000002.2604661032.000000006BD81000.00000020.00000001.01000000.00000014.sdmp, Setup.exe, 0000001D.00000002.2577383725.000000006B9C1000.00000020.00000001.01000000.0000001E.sdmp
Source: Binary string: SetupEngine.pdb source: Setup.exe, 00000016.00000002.2605209130.000000006BDC1000.00000020.00000001.01000000.00000013.sdmp, Setup.exe, 0000001D.00000002.2577668762.000000006B9F1000.00000020.00000001.01000000.0000001D.sdmp
Source: Binary string: install.pdb source: vstor40_x64.exe, 00000018.00000002.2594285185.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, install.exe, 0000001A.00000002.2591416989.00007FF7AECA4000.00000002.00000001.01000000.0000001A.sdmp, install.exe, 0000001A.00000000.2413587318.00007FF7AECA4000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: l(wiwfwpgt.pdb|SNL.Clients.Office.Word.pdb1 source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\dd\trinity\appnet\fx\runtime\ContractsV10\VSTOContract\objr\i386\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.pdb source: 44ab03.rbf.23.dr
Source: Binary string: l!SNL.Clients.Office.PowerPoint.pdbj source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MFCM100.amd64.pdbHp source: mfcm100.dll0.23.dr
Source: Binary string: SNL.Clients.Office.Common.pdbX source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584704299.00000000010BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l(ombgpqa2.pdb|SNL.Clients.Office.Host.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\dd\trinity\vsta\rt\VSTAAddInModel\CAA\objr\i386\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.pdb source: FL_MSVSTAAddInAdapter_Pipeline_v10_enu_amd64.23.dr
Source: Binary string: MFCM100.amd64.pdb source: mfcm100.dll0.23.dr
Source: Binary string: l*txfpcpzj.pdb|SNL.Clients.Office.Common.pdb7 source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584264924.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2587094639.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l"SNL.Clients.Office.Common.Core.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2887871995.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: SPCapIQProOffice-1.0.24095.1.exe
Source: Binary string: sfxcab.pdb source: vstor_redist.exe, 00000012.00000002.2610552026.0000000001002000.00000020.00000001.01000000.00000011.sdmp, vstor_redist.exe, 00000012.00000000.2089501904.0000000001002000.00000020.00000001.01000000.00000011.sdmp, vstor40_x64.exe, 00000018.00000002.2594610762.0000000001002000.00000020.00000001.01000000.00000019.sdmp, vstor40_x64.exe, 00000018.00000000.2395505903.0000000001002000.00000020.00000001.01000000.00000019.sdmp, vstor_redist.exe, 00000019.00000002.2581768099.0000000001002000.00000020.00000001.01000000.00000011.sdmp, vstor_redist.exe, 00000019.00000000.2411609798.0000000001002000.00000020.00000001.01000000.00000011.sdmp, vstor40_LP_x86_heb.exe.18.dr, vstor40_LP_x64_deu.exe.18.dr
Source: Binary string: l/c5bm5dgu.pdb|SNL.Clients.Office.Common.Core.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586859040.00000000010DE000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010DB000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010DB000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584798602.00000000010B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l)zaakjhur.pdb|SNL.Clients.Office.Excel.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584264924.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Office.Tools.Excel.v9.0.pdb source: 44aaf8.rbf.23.dr
Source: Binary string: f:\dd\trinity\appnet\fx\runtime\ContractsV10\VSTOContract\objr\i386\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.pdbD[^[ P[_CorDllMainmscoree.dll source: 44ab03.rbf.23.dr
Source: Binary string: vstoee.pdbN source: vsto_shared_vstoee_x86.3643236F_FC70_11D3_A536_0090278A1BB8.23.dr
Source: Binary string: patchhooks.pdb source: Setup.exe, 00000016.00000003.2275613374.000000000315F000.00000004.00000020.00020000.00000000.sdmp, vstor40_x64.exe, 00000018.00000002.2594285185.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, vc_red.msi0.25.dr
Source: Binary string: C:\delivery\Dev\wix35\build\ship\x86\netfxca.pdb U source: MSI6DC.tmp.23.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2897428739.000000006CC1F000.00000002.00000001.01000000.00000007.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2895658611.000000006C19F000.00000002.00000001.01000000.0000000F.sdmp, wixstdba.dll.13.dr
Source: Binary string: SNL.Clients.Office.Excel.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SNL.Clients.Office.Host.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l(wiwfwpgt.pdb|SNL.Clients.Office.Word.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l*txfpcpzj.pdb|SNL.Clients.Office.Common.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: atl100.i386.pdb source: F_CENTRAL_atl100_x86.23.dr
Source: Binary string: vstoee.pdb source: vsto_shared_vstoee_x86.3643236F_FC70_11D3_A536_0090278A1BB8.23.dr
Source: Binary string: /c5bm5dgu.pdb|SNL.Clients.Office.Common.Core.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SNL.Clients.Office.Shim.pdbv source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .dsomi07c.pdb|SNL.Clients.Office.PowerPoint.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l(itcxszeg.pdb|SNL.Clients.Office.Shim.pdbx? source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SNL.Clients.Office.Common.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2887542922.00000000010C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: "SNL.Clients.Office.Common.Core.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SetupResources.pdb source: SetupResources.dll6.18.dr, SetupResources.dll12.25.dr, SetupResources.dll9.18.dr, SetupResources.dll4.25.dr, SetupResources.dll16.18.dr, SetupResources.dll1.25.dr, SetupResources.dll16.25.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\SfxCA.pdb source: MSI3B24.tmp.23.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:
Source: C:\Windows\System32\msiexec.exeFile opened: x:
Source: C:\Windows\System32\msiexec.exeFile opened: v:
Source: C:\Windows\System32\msiexec.exeFile opened: t:
Source: C:\Windows\System32\msiexec.exeFile opened: r:
Source: C:\Windows\System32\msiexec.exeFile opened: p:
Source: C:\Windows\System32\msiexec.exeFile opened: n:
Source: C:\Windows\System32\msiexec.exeFile opened: l:
Source: C:\Windows\System32\msiexec.exeFile opened: j:
Source: C:\Windows\System32\msiexec.exeFile opened: h:
Source: C:\Windows\System32\msiexec.exeFile opened: f:
Source: C:\Windows\System32\msiexec.exeFile opened: b:
Source: C:\Windows\System32\msiexec.exeFile opened: y:
Source: C:\Windows\System32\msiexec.exeFile opened: w:
Source: C:\Windows\System32\msiexec.exeFile opened: u:
Source: C:\Windows\System32\msiexec.exeFile opened: s:
Source: C:\Windows\System32\msiexec.exeFile opened: q:
Source: C:\Windows\System32\msiexec.exeFile opened: o:
Source: C:\Windows\System32\msiexec.exeFile opened: m:
Source: C:\Windows\System32\msiexec.exeFile opened: k:
Source: C:\Windows\System32\msiexec.exeFile opened: i:
Source: C:\Windows\System32\msiexec.exeFile opened: g:
Source: C:\Windows\System32\msiexec.exeFile opened: e:
Source: C:\Windows\System32\msiexec.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00054440 FindFirstFileW,FindClose,0_2_00054440
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00029B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,0_2_00029B43
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00013CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,0_2_00013CC4
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_00984440 FindFirstFileW,FindClose,1_2_00984440
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_00959B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,1_2_00959B43
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_00943CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,1_2_00943CC4
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBED856 FindFirstFileExW,_free,1_2_6CBED856
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC06866 FindFirstFileW,FindClose,1_2_6CC06866
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_00694440 FindFirstFileW,FindClose,2_2_00694440
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_00669B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,2_2_00669B43
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_00653CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,2_2_00653CC4
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_001A4440 FindFirstFileW,FindClose,11_2_001A4440
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_00179B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,11_2_00179B43
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_00163CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,11_2_00163CC4
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C16D856 FindFirstFileExW,_free,13_2_6C16D856
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C186866 FindFirstFileW,FindClose,13_2_6C186866
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULLJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packagesJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64Jump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532Jump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile opened: C:\ProgramData\Package Cache\NULLJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULLJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_00986357 InternetReadFile,WriteFile,WriteFile,GetLastError,GetLastError,1_2_00986357
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://appsyndication.org/2006/appsyn
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2894303109.00000000071C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digic
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Setup.exe, 00000016.00000003.2197466109.000000000141B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001D.00000002.2576934358.0000000003240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.m
Source: Setup.exe, 0000001D.00000003.2482553908.000000000147F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.co
Source: Setup.exe, 0000001D.00000003.2482553908.000000000147F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microx
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2894303109.00000000071C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.dig
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://ocsp.digicert.com0
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: Setup.exe, 00000016.00000002.2600526077.0000000001416000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889517822.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889695011.0000000003710000.00000004.00000800.00020000.00000000.sdmp, thm.xml.13.drString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889695011.0000000003710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010(
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010g_VST
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2890706092.0000000002B30000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889517822.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, thm.xml.13.drString found in binary or memory: https://ecs.syr.edu/faculty/fawcett/handouts/Coretechnologies/WindowsProgramming/WinUser.h
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.s
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spgloba
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.c
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001263000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001238000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933865731.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930450152.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932358478.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933865731.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931854743.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2889008138.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/-l
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/3
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/ap
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933865731.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932358478.0000000000C34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/of=
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032193426.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032900367.0000000001084000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/off
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933865731.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932358478.0000000000C34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/office-
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032193426.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032900367.0000000001084000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/C
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Co_
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Con
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Conte
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930159833.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/Prereqs/NDP48/ndp48-x86-x
Source: BootstrapperApplicationData.xml.1.drString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/Prereqs/VC_REDIST/vc_redi
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930159833.0000000002E4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/Prereqs/VSTOR2010/vstor_r
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932156175.0000000000C3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/OfficeTools-x64-1.0
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930048010.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/OfficeTools-x86-1.0
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931925320.0000000000C42000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1934087160.0000000000C44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/PluginManager-1.0.2
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933988321.0000000000C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/SPCapIQProOffice-x6
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930048010.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932156175.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/SPCapIQProOffice-x8
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/r_CN_1.0.24095.1.msi
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.0000000001348000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.cn/w
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032193426.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032900367.0000000001084000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.co
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2894303109.00000000071C0000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.0000000001348000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.00000000013BF000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032193426.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001038000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2894044221.0000000003660000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001091000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032900367.0000000001084000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.00000000007F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/&D
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.2611939090.00000000058E5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2894425642.00000000058E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/G~
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2894425642.00000000058F4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.2611939090.00000000058F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/S_m
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/apis
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/offiQB
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-t7B
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933865731.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932358478.0000000000C34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-too
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-tools-servi
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-tools-service/C
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/Empower/e
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001060000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001038000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/Empower/empower-1.0.2409
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930159833.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/Prereqs/NDP48/ndp48-x86-
Source: BootstrapperApplicationData.xml.1.drString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/Prereqs/VC_REDIST/vc_red
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930159833.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2889008138.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889517822.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1996686802.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889960960.0000000003B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/Prereqs/VSTOR2010/vstor_
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933865731.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932358478.0000000000C34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/en-US/O;=
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930048010.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/en-US/OfficeTools-x64-1.
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930048010.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2889008138.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1996686802.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889960960.0000000003B18000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889695011.0000000003710000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.000000000136E000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889960960.0000000003B22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/en-US/OfficeTools-x86-1.
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889960960.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032193426.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001038000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2894044221.0000000003660000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032900367.0000000001084000.00000004.00000020.00020000.00000000.sdmp, BootstrapperApplicationData.xml.1.drString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/en-US/PluginManager-1.0.
Source: BootstrapperApplicationData.xml.1.drString found in binary or memory: https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/en-US/SPCapIQProOffice-x
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2894425642.00000000058F4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.2611939090.00000000058F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spglobal.com/j_
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.capitaliq.spz

Spam, unwanted Advertisements and Ransom Demands

barindex
Writes many files with high entropy
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\VSTOR entropy: 7.99988204417Jump to dropped file
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\SPCapIQProOffice_x86_1.0.24095.1.msi entropy: 7.99937881279Jump to dropped file
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\ProgramData\Package Cache\.unverified\VSTOR (copy) entropy: 7.99988204417Jump to dropped file
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe (copy) entropy: 7.99988204417Jump to dropped file
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\ProgramData\Package Cache\.unverified\SPCapIQProOffice_x86_1.0.24095.1.msi (copy) entropy: 7.99937881279Jump to dropped file
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\ProgramData\Package Cache\{8ABF444C-2498-4B37-A960-91BFE1481ED5}v1.0.24095.1\SPCapIQProOffice-x86-1.0.24095.1.msi (copy) entropy: 7.99937881279Jump to dropped file
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\SPCapIQProOffice_x86_1.0.24095.1.msi entropy: 7.99937881279Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\VC_Red_x86\vc_red.cab entropy: 7.99982407421Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\VC_Red_x86\msp_kb2565063.msp entropy: 7.99425811628Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\VC_Red_x64\vc_red.cab entropy: 7.99987405973Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\VC_Red_x64\msp_kb2565063.msp entropy: 7.99496204849Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x86.exe entropy: 7.99650392964Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe entropy: 7.99725474517Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\vstor40_x64.cab entropy: 7.99970074299Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\VC_Red_x86\vc_red.cab entropy: 7.99982407421Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\VC_Red_x86\msp_kb2565063.msp entropy: 7.99425811628Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\VC_Red_x64\vc_red.cab entropy: 7.99987405973Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\VC_Red_x64\msp_kb2565063.msp entropy: 7.99496204849Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_x86.exe entropy: 7.99650392964Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_x64.exe entropy: 7.99725474517Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44aadb.msi
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44aadc.msp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAF02.tmp
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\atl100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100chs.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100cht.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100deu.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100enu.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100esn.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100fra.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100ita.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100jpn.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100kor.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100rus.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100u.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfcm100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfcm100u.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\vcomp100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100chs_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100deu_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100jpn_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100rus_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcp100_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44aadf.msi
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44aadf.msi
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44aae0.msp
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44aae0.msp
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44aae1.msi
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44aae2.msp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC8E4.tmp
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\atl100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfc100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfc100chs.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfc100cht.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfc100deu.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfc100enu.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfc100esn.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfc100fra.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfc100ita.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfc100jpn.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfc100kor.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfc100rus.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfc100u.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfcm100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\mfcm100u.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcp100_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\msvcp100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\msvcr100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\system32\vcomp100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_atl100_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100chs_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100cht_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100deu_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100enu_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100esn_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100fra_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100ita_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100jpn_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100kor_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100rus_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100u_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100u_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcr100_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_vcomp100_x64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\CacheSize.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44aae6.msi
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44aae6.msi
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44aae7.msp
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44aae7.msp
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44aae8.msi
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{FD9D64F4-CAF5-3D23-845A-B843C78CC1A5}
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE6FC.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE789.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEC1E.tmp
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_GAC_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_Pipeline_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10_GAC_amd64.enu
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll_GAC_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll_Pipeline_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft_VisualStudio_Tools_Applications_Hosting_v10_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAAddInAdapter_GAC_v10_enu_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAAddInAdapter_Pipeline_v10_enu_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAHosting_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTARuntime_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAServerDocument_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCommonImpl_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCommonInterfaces_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOContainerControl_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCoreInterfaces_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelHostAdapter_GAC_v10_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelImpl_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelInterfaces_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookHostAdapter_GAC_v10_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookImpl_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookInterfaces_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_amd64.enu
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_nomaf_runtime_internal_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOV4Framework_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordHostAdapter_GAC_v10_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordImpl_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordInterfaces_GAC_nomaf_runtime_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOInstallerUI_enu_x86.3643236F_FC70_11D3_A536_0090278A1BB8
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOLoaderUI_dll_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOMessageProvider_x86.3643236F_FC70_11D3_A536_0090278A1BB8
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Excel.Adapter_Pipeline.v10.amd64.enu
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Outlook.Adapter_Pipeline.v10.amd64.enu
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Word.Adapter_Pipeline.v10.amd64.enu
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10_GAC.amd64.enu
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10_Pipeline.amd64.enu
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.Runtime.v10_GAC.amd64.enu
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.Runtime.v10_Pipeline.amd64.enu
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Office.AddInHostAdapter.v10_GAC.amd64.enu
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Office.AddInHostAdapter.v10_Pipeline.amd64.enu
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\MSVSTOContainerControl_GAC_v10_amd64
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_typelib100_x86.3643236F_FC70_11D3_A536_0090278A1BB8
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_typelib90_x86.3643236F_FC70_11D3_A536_0090278A1BB8
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_vstoee_x86.3643236F_FC70_11D3_A536_0090278A1BB8
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\VSTOInstaller_exe_x86.3643236F_FC70_11D3_A536_0090278A1BB8
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\VSTOLoader_dll_x86.3643236F_FC70_11D3_A536_0090278A1BB8
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44ab1b.msi
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\44ab1b.msi
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI593.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6DC.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI74A.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1A47.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1A96.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1E21.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\44ab1c.msi
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI38AF.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI390E.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI39AB.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3A29.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B24.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI81F2.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\ngenserviceclientlock.dat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\ngenserviceclientlock.dat
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\ngenserviceclientlock.dat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\ngenserviceclientlock.dat
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\ngenserviceclientlock.dat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\ngenserviceclientlock.dat
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\ngenserviceclientlock.dat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\ngenserviceclientlock.dat
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\ngenserviceclientlock.dat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeFile created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeFile deleted: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\VSTOR.RJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0004001D0_2_0004001D
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_000341EA0_2_000341EA
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_000162AA0_2_000162AA
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0003C3320_2_0003C332
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_000403D50_2_000403D5
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0004A5600_2_0004A560
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_000407AA0_2_000407AA
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0001A8F10_2_0001A8F1
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0004AA0E0_2_0004AA0E
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00040B6F0_2_00040B6F
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0003FB890_2_0003FB89
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00042C180_2_00042C18
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00042E470_2_00042E47
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0004EE7C0_2_0004EE7C
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0097001D1_2_0097001D
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_009641EA1_2_009641EA
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_009462AA1_2_009462AA
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_009703D51_2_009703D5
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0096C3321_2_0096C332
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0097A5601_2_0097A560
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_009707AA1_2_009707AA
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0094A8F11_2_0094A8F1
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0097AA0E1_2_0097AA0E
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0096FB891_2_0096FB89
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_00970B6F1_2_00970B6F
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_00972C181_2_00972C18
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_00972E471_2_00972E47
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0097EE7C1_2_0097EE7C
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBF30251_2_6CBF3025
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBE71AF1_2_6CBE71AF
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBEF1001_2_6CBEF100
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBF1A451_2_6CBF1A45
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBE73D81_2_6CBE73D8
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBF1B711_2_6CBF1B71
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC0BCB81_2_6CC0BCB8
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC0240C1_2_6CC0240C
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC124C51_2_6CC124C5
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC18D6E1_2_6CC18D6E
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC188C01_2_6CC188C0
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC1D9E81_2_6CC1D9E8
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC122961_2_6CC12296
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_006741EA2_2_006741EA
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0068001D2_2_0068001D
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_006562AA2_2_006562AA
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0067C3322_2_0067C332
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_006803D52_2_006803D5
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0068A5602_2_0068A560
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_006807AA2_2_006807AA
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0065A8F12_2_0065A8F1
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0068AA0E2_2_0068AA0E
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_00680B6F2_2_00680B6F
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0067FB892_2_0067FB89
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_00682C182_2_00682C18
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0068EE7C2_2_0068EE7C
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_00682E472_2_00682E47
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0019001D11_2_0019001D
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_001841EA11_2_001841EA
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_001662AA11_2_001662AA
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0018C33211_2_0018C332
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_001903D511_2_001903D5
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0019A56011_2_0019A560
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_001907AA11_2_001907AA
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0016A8F111_2_0016A8F1
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0019AA0E11_2_0019AA0E
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_00190B6F11_2_00190B6F
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0018FB8911_2_0018FB89
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_00192C1811_2_00192C18
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_00192E4711_2_00192E47
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0019EE7C11_2_0019EE7C
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C17302513_2_6C173025
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C16F10013_2_6C16F100
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C1671AF13_2_6C1671AF
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C171A4513_2_6C171A45
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C171B7113_2_6C171B71
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C1673D813_2_6C1673D8
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C18240C13_2_6C18240C
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C18BCB813_2_6C18BCB8
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C1924C513_2_6C1924C5
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C198D6E13_2_6C198D6E
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C1988C013_2_6C1988C0
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C19D9E813_2_6C19D9E8
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C19229613_2_6C192296
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00980237 appears 683 times
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00941F13 appears 54 times
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 009832F3 appears 83 times
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00943821 appears 501 times
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 6CC0DA9D appears 40 times
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 6CC05B74 appears 84 times
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00980726 appears 34 times
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00653821 appears 500 times
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 006932F3 appears 84 times
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00651F13 appears 54 times
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00690726 appears 34 times
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00690237 appears 685 times
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 001A0726 appears 34 times
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 6C18DA9D appears 40 times
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00161F13 appears 54 times
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 001A0237 appears 685 times
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00163821 appears 500 times
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 6C185B74 appears 84 times
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 001A32F3 appears 83 times
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00050726 appears 34 times
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00011F13 appears 54 times
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 000532F3 appears 83 times
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00013821 appears 501 times
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: String function: 00050237 appears 683 times
Source: SetupResources.dll13.18.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: SetupResources.dll16.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll13.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll1.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll4.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll9.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll12.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll15.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll0.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll3.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll11.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll6.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll7.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll10.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll2.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll14.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll5.18.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll8.18.drStatic PE information: No import functions for PE file found
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2897666574.000000006CC2D000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenamewixstdba.dll\ vs SPCapIQProOffice-1.0.24095.1.exe
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rights reserved.lBOriginalFilenameSPCapIQProOffice-1.0.24095.1.e vs SPCapIQProOffice-1.0.24095.1.exe
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: All rights reserved.lBOriginalFilenameSPCapIQProOffice-1.0.24095 vs SPCapIQProOffice-1.0.24095.1.exe
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2895867977.000000006C1AD000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenamewixstdba.dll\ vs SPCapIQProOffice-1.0.24095.1.exe
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: vstor40_LP_x64_cht.exe.18.drStatic PE information: Section: .rsrc ZLIB complexity 0.9887546101159115
Source: classification engineClassification label: sus24.rans.evad.winEXE@77/696@0/2
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0004FE21 FormatMessageW,GetLastError,LocalFree,0_2_0004FE21
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_000145EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,0_2_000145EE
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_009445EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,1_2_009445EE
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_006545EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,2_2_006545EE
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_001645EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,11_2_001645EE
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0005304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,0_2_0005304F
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC0D424 FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError,1_2_6CC0D424
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00036B88 ChangeServiceConfigW,GetLastError,0_2_00036B88
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files (x86)\Common Files\Microsoft Shared\VC
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4128:120:WilError_03
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeMutant created: \Sessions\1\BaseNamedObjects\SetupWatson_Mutex_Name
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4520:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1664:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1640:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeMutant created: \Sessions\1\BaseNamedObjects\Global\VC_Redist_SetupMutex
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\Jump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: cabinet.dll0_2_00011070
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: msi.dll0_2_00011070
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: version.dll0_2_00011070
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: wininet.dll0_2_00011070
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: comres.dll0_2_00011070
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: clbcatq.dll0_2_00011070
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: msasn1.dll0_2_00011070
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: crypt32.dll0_2_00011070
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: feclient.dll0_2_00011070
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: cabinet.dll0_2_00011070
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: cabinet.dll1_2_00941070
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: msi.dll1_2_00941070
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: version.dll1_2_00941070
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: wininet.dll1_2_00941070
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: comres.dll1_2_00941070
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: clbcatq.dll1_2_00941070
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: msasn1.dll1_2_00941070
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: crypt32.dll1_2_00941070
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: feclient.dll1_2_00941070
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: cabinet.dll1_2_00941070
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: cabinet.dll2_2_00651070
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: msi.dll2_2_00651070
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: version.dll2_2_00651070
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: comres.dll2_2_00651070
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: clbcatq.dll2_2_00651070
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: msasn1.dll2_2_00651070
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: crypt32.dll2_2_00651070
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: feclient.dll2_2_00651070
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: cabinet.dll2_2_00651070
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: cabinet.dll11_2_00161070
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: msi.dll11_2_00161070
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: version.dll11_2_00161070
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: wininet.dll11_2_00161070
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: comres.dll11_2_00161070
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: clbcatq.dll11_2_00161070
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: msasn1.dll11_2_00161070
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: crypt32.dll11_2_00161070
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: feclient.dll11_2_00161070
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCommand line argument: cabinet.dll11_2_00161070
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: SPCapIQProOffice-1.0.24095.1.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeFile read: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exe "C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exe"
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe "C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe" -burn.clean.room="C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exe" -burn.filehandle.attached=532 -burn.filehandle.self=528
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe "C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe" -q -burn.elevated BurnPipe.{22255B69-8FB0-4B58-9A37-96EAAA229CC0} {B6A53FD5-A31E-4AF8-BB77-CA62C452506E} 7336
Source: unknownProcess created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe "C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe "C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" /burn.log.append "C:\Users\user\AppData\Local\Temp\S&P_Capital_IQ_Pro_Office_20240419025210.log"
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe "C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" -burn.clean.room="C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /burn.log.append "C:\Users\user\AppData\Local\Temp\S&P_Capital_IQ_Pro_Office_20240419025210.log"
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe "C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" -q -burn.elevated BurnPipe.{F8907890-6A84-4345-B5A9-D02185C4BBD7} {C0D578AC-8A16-4B2B-B0EB-8A9283D46FE9} 7396
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe "C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe" /i /q /norestart
Source: unknownProcess created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Source: C:\Windows\System32\SrTasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeProcess created: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exe c:\e4b15374fbeb09b00c2ff6ea22\Setup.exe /i /q /norestart
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeProcess created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe vstor40_x64.exe /q
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe "C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe" /i /q /norestart
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeProcess created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exe c:\9e8b505ac5bf67d26cfba004c7a3fd\install.exe /q
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe c:\Windows\syswow64\MsiExec.exe -Embedding 50D0C51C5F29CB2F939D1D66AF46B8FD
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe c:\Windows\System32\MsiExec.exe -Embedding 392B92B2C8922C55BB291E3DD13F1718
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeProcess created: C:\5dbc7bbf14917454e3442522d4a6\Setup.exe c:\5dbc7bbf14917454e3442522d4a6\Setup.exe /i /q /norestart
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe c:\Windows\syswow64\MsiExec.exe -Embedding 8B188487738B9071562D9EF7776E0846 M Global\MSI0000
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe c:\Windows\System32\MsiExec.exe -Embedding 65B24CE328994E1BC77923B19C5082F3 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe c:\Windows\syswow64\MsiExec.exe -Embedding 417DB550FCDE732E3591759ED0C0D26B E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe "C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe" -burn.clean.room="C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exe" -burn.filehandle.attached=532 -burn.filehandle.self=528 Jump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe "C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe" -q -burn.elevated BurnPipe.{22255B69-8FB0-4B58-9A37-96EAAA229CC0} {B6A53FD5-A31E-4AF8-BB77-CA62C452506E} 7336Jump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe "C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe" /i /q /norestartJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe "C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" /burn.log.append "C:\Users\user\AppData\Local\Temp\S&P_Capital_IQ_Pro_Office_20240419025210.log"Jump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe "C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" -burn.clean.room="C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /burn.log.append "C:\Users\user\AppData\Local\Temp\S&P_Capital_IQ_Pro_Office_20240419025210.log"Jump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe "C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe" /i /q /norestartJump to behavior
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeProcess created: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exe c:\e4b15374fbeb09b00c2ff6ea22\Setup.exe /i /q /norestart
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeProcess created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe vstor40_x64.exe /q
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe c:\Windows\syswow64\MsiExec.exe -Embedding 50D0C51C5F29CB2F939D1D66AF46B8FD
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe c:\Windows\System32\MsiExec.exe -Embedding 392B92B2C8922C55BB291E3DD13F1718
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe c:\Windows\syswow64\MsiExec.exe -Embedding 8B188487738B9071562D9EF7776E0846 M Global\MSI0000
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe c:\Windows\System32\MsiExec.exe -Embedding 65B24CE328994E1BC77923B19C5082F3 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe c:\Windows\syswow64\MsiExec.exe -Embedding 417DB550FCDE732E3591759ED0C0D26B E Global\MSI0000
Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknown
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeProcess created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exe c:\9e8b505ac5bf67d26cfba004c7a3fd\install.exe /q
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeProcess created: C:\5dbc7bbf14917454e3442522d4a6\Setup.exe c:\5dbc7bbf14917454e3442522d4a6\Setup.exe /i /q /norestart
Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeSection loaded: feclient.dllJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: feclient.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: usoapi.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: sxproxy.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: feclient.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: srcore.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vss_ps.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: version.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cabinet.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msxml3.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: version.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cabinet.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msxml3.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: version.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cabinet.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msxml3.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: feclient.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: iertutil.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msimg32.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: textshaping.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: propsys.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: edputil.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: urlmon.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: srvcli.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: netutils.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: sspicli.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: appresolver.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: slc.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: userenv.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: sppc.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: mpr.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: pcacli.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wininet.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: winhttp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: mswsock.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: winnsi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: dpapi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msasn1.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: gpapi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: schannel.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: version.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cabinet.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: msxml3.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wintypes.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: srclient.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: spp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: powrprof.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: vssapi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: umpdc.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: usoapi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: sxproxy.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: feclient.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: iertutil.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: srpapi.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: netapi32.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: wkscli.dllJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeSection loaded: netutils.dllJump to behavior
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: textshaping.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: clusapi.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: dnsapi.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: iphlpapi.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: wkscli.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: cscapi.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: netutils.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: cryptsp.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: rsaenh.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: feclient.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vss_ps.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: apphelp.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: acgenral.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: uxtheme.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: winmm.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: samcli.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msacm32.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: version.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: userenv.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: dwmapi.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: urlmon.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: mpr.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: sspicli.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: winmmbase.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: winmmbase.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: iertutil.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: srvcli.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: netutils.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: setupengine.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msi.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: winhttp.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: secur32.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: sqmapi.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msasn1.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: windows.storage.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: wldp.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: profapi.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: ntmarta.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: kernel.appcore.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msxml3.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: cryptsp.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: rsaenh.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: cryptbase.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: gpapi.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: msisip.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: srpapi.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: tsappcmp.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: netapi32.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: apphelp.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: uxtheme.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: textshaping.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: kernel.appcore.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: textinputframework.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: coreuicomponents.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: coremessaging.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: ntmarta.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: wintypes.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: wintypes.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: wintypes.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: clusapi.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: dnsapi.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: iphlpapi.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: wkscli.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: cscapi.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: netutils.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: cryptsp.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: rsaenh.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: cryptbase.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: feclient.dll
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeSection loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: textshaping.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: clusapi.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: dnsapi.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: iphlpapi.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: wkscli.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: cscapi.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: netutils.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: cryptsp.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: rsaenh.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: feclient.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeSection loaded: apphelp.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: apphelp.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: version.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: uxtheme.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: install.res.2057.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: install.res.1033.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: secur32.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: msi.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: kernel.appcore.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: srpapi.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: tsappcmp.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: netapi32.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: wkscli.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: netutils.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: windows.storage.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: wldp.dll
Source: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: apphelp.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: acgenral.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: uxtheme.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: winmm.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: samcli.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msacm32.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: version.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: userenv.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: dwmapi.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: urlmon.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: mpr.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: sspicli.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: winmmbase.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: winmmbase.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: iertutil.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: srvcli.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: netutils.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: setupengine.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msi.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: winhttp.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: secur32.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: sqmapi.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msasn1.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: profapi.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: ntmarta.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: kernel.appcore.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeSection loaded: msxml3.dll
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile written: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.ini
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeAutomated click: Install
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeAutomated click: Install
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeWindow detected: Number of UI elements: 20
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\ConfigurationJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VC
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.ini
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\vstor40_x64.cab
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1025.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.2052.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1028.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1030.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1031.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1033.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.3082.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1035.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1036.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1037.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1040.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1041.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1042.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1043.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1044.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1045.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1046.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1049.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1053.txt
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\globdata.ini
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.exe
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1025.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.2052.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1028.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1030.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1031.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1033.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.3082.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1035.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1036.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1037.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1040.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1041.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1042.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1043.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1044.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1045.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1046.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1049.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1053.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\vstor40_x64.MSI
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
Source: C:\Windows\System32\msiexec.exeDirectory created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: certificate valid
Source: C:\Windows\System32\msiexec.exeFile opened: c:\Windows\SysWOW64\msvcr100.dll
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\A\_work\681\a\WixBaDetectCapIqFunc.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2896800650.000000006CBF4000.00000002.00000001.01000000.0000000A.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2895086718.000000006C174000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: l!SNL.Clients.Office.PowerPoint.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2887871995.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l(itcxszeg.pdb|SNL.Clients.Office.Shim.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l.dsomi07c.pdb|SNL.Clients.Office.PowerPoint.pdbb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584704299.00000000010BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: !SNL.Clients.Office.PowerPoint.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SNL.Clients.Office.Excel.pdb!= source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\A\_work\681\a\WixBaDetectCapIqFunc.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2896800650.000000006CBF4000.00000002.00000001.01000000.0000000A.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2895086718.000000006C174000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: SNL.Clients.Office.Shim.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SNL.Clients.Office.Word.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l.dsomi07c.pdb|SNL.Clients.Office.PowerPoint.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2587094639.00000000010DB000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2887871995.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010DB000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Setup.pdb source: Setup.exe, 00000016.00000002.2599276952.0000000000851000.00000020.00000001.01000000.00000012.sdmp, Setup.exe, 00000016.00000000.2183636790.0000000000851000.00000020.00000001.01000000.00000012.sdmp, Setup.exe, 0000001D.00000000.2466014019.0000000000071000.00000020.00000001.01000000.0000001C.sdmp, Setup.exe, 0000001D.00000002.2574358507.0000000000071000.00000020.00000001.01000000.0000001C.sdmp
Source: Binary string: SNL.Clients.Office.Host.pdbM= source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\delivery\Dev\wix35\build\ship\x86\netfxca.pdb source: MSI6DC.tmp.23.dr
Source: Binary string: Microsoft.Office.Tools.Excel.v9.0.pdbP source: 44aaf8.rbf.23.dr
Source: Binary string: sqmapi.pdb source: Setup.exe, 00000016.00000002.2604661032.000000006BD81000.00000020.00000001.01000000.00000014.sdmp, Setup.exe, 0000001D.00000002.2577383725.000000006B9C1000.00000020.00000001.01000000.0000001E.sdmp
Source: Binary string: SetupEngine.pdb source: Setup.exe, 00000016.00000002.2605209130.000000006BDC1000.00000020.00000001.01000000.00000013.sdmp, Setup.exe, 0000001D.00000002.2577668762.000000006B9F1000.00000020.00000001.01000000.0000001D.sdmp
Source: Binary string: install.pdb source: vstor40_x64.exe, 00000018.00000002.2594285185.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, install.exe, 0000001A.00000002.2591416989.00007FF7AECA4000.00000002.00000001.01000000.0000001A.sdmp, install.exe, 0000001A.00000000.2413587318.00007FF7AECA4000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: l(wiwfwpgt.pdb|SNL.Clients.Office.Word.pdb1 source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\dd\trinity\appnet\fx\runtime\ContractsV10\VSTOContract\objr\i386\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.pdb source: 44ab03.rbf.23.dr
Source: Binary string: l!SNL.Clients.Office.PowerPoint.pdbj source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MFCM100.amd64.pdbHp source: mfcm100.dll0.23.dr
Source: Binary string: SNL.Clients.Office.Common.pdbX source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584704299.00000000010BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l(ombgpqa2.pdb|SNL.Clients.Office.Host.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\dd\trinity\vsta\rt\VSTAAddInModel\CAA\objr\i386\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.pdb source: FL_MSVSTAAddInAdapter_Pipeline_v10_enu_amd64.23.dr
Source: Binary string: MFCM100.amd64.pdb source: mfcm100.dll0.23.dr
Source: Binary string: l*txfpcpzj.pdb|SNL.Clients.Office.Common.pdb7 source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584264924.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2587094639.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l"SNL.Clients.Office.Common.Core.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2887871995.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: SPCapIQProOffice-1.0.24095.1.exe
Source: Binary string: sfxcab.pdb source: vstor_redist.exe, 00000012.00000002.2610552026.0000000001002000.00000020.00000001.01000000.00000011.sdmp, vstor_redist.exe, 00000012.00000000.2089501904.0000000001002000.00000020.00000001.01000000.00000011.sdmp, vstor40_x64.exe, 00000018.00000002.2594610762.0000000001002000.00000020.00000001.01000000.00000019.sdmp, vstor40_x64.exe, 00000018.00000000.2395505903.0000000001002000.00000020.00000001.01000000.00000019.sdmp, vstor_redist.exe, 00000019.00000002.2581768099.0000000001002000.00000020.00000001.01000000.00000011.sdmp, vstor_redist.exe, 00000019.00000000.2411609798.0000000001002000.00000020.00000001.01000000.00000011.sdmp, vstor40_LP_x86_heb.exe.18.dr, vstor40_LP_x64_deu.exe.18.dr
Source: Binary string: l/c5bm5dgu.pdb|SNL.Clients.Office.Common.Core.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586859040.00000000010DE000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010DB000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010DB000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584798602.00000000010B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l)zaakjhur.pdb|SNL.Clients.Office.Excel.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584264924.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Office.Tools.Excel.v9.0.pdb source: 44aaf8.rbf.23.dr
Source: Binary string: f:\dd\trinity\appnet\fx\runtime\ContractsV10\VSTOContract\objr\i386\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.pdbD[^[ P[_CorDllMainmscoree.dll source: 44ab03.rbf.23.dr
Source: Binary string: vstoee.pdbN source: vsto_shared_vstoee_x86.3643236F_FC70_11D3_A536_0090278A1BB8.23.dr
Source: Binary string: patchhooks.pdb source: Setup.exe, 00000016.00000003.2275613374.000000000315F000.00000004.00000020.00020000.00000000.sdmp, vstor40_x64.exe, 00000018.00000002.2594285185.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, vc_red.msi0.25.dr
Source: Binary string: C:\delivery\Dev\wix35\build\ship\x86\netfxca.pdb U source: MSI6DC.tmp.23.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2897428739.000000006CC1F000.00000002.00000001.01000000.00000007.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2895658611.000000006C19F000.00000002.00000001.01000000.0000000F.sdmp, wixstdba.dll.13.dr
Source: Binary string: SNL.Clients.Office.Excel.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SNL.Clients.Office.Host.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l(wiwfwpgt.pdb|SNL.Clients.Office.Word.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l*txfpcpzj.pdb|SNL.Clients.Office.Common.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: atl100.i386.pdb source: F_CENTRAL_atl100_x86.23.dr
Source: Binary string: vstoee.pdb source: vsto_shared_vstoee_x86.3643236F_FC70_11D3_A536_0090278A1BB8.23.dr
Source: Binary string: /c5bm5dgu.pdb|SNL.Clients.Office.Common.Core.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SNL.Clients.Office.Shim.pdbv source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586195091.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2583715727.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2584419135.00000000010CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .dsomi07c.pdb|SNL.Clients.Office.PowerPoint.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: l(itcxszeg.pdb|SNL.Clients.Office.Shim.pdbx? source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2586079679.00000000010AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SNL.Clients.Office.Common.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585529102.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2887542922.00000000010C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: "SNL.Clients.Office.Common.Core.pdb source: SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2585201732.00000000010B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SetupResources.pdb source: SetupResources.dll6.18.dr, SetupResources.dll12.25.dr, SetupResources.dll9.18.dr, SetupResources.dll4.25.dr, SetupResources.dll16.18.dr, SetupResources.dll1.25.dr, SetupResources.dll16.25.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\SfxCA.pdb source: MSI3B24.tmp.23.dr
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: SPCapIQProOffice-1.0.24095.1.exeStatic PE information: section name: .wixburn
Source: SPCapIQProOffice-1.0.24095.1.exe.0.drStatic PE information: section name: .wixburn
Source: SPCapIQProOffice-1.0.24095.1.exe.1.drStatic PE information: section name: .wixburn
Source: SPCapIQProOffice-1.0.24095.1.exe.2.drStatic PE information: section name: .wixburn
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0003EAD6 push ecx; ret 0_2_0003EAE9
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0096EAD6 push ecx; ret 1_2_0096EAE9
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBE2496 push ecx; ret 1_2_6CBE24A9
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBF38B8 push ecx; ret 1_2_6CBF38B6
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC0F346 push ecx; ret 1_2_6CC0F359
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0067EAD6 push ecx; ret 2_2_0067EAE9
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0018EAD6 push ecx; ret 11_2_0018EAE9
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C162496 push ecx; ret 13_2_6C1624A9
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C1738B8 push ecx; ret 13_2_6C1738B6
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C18F346 push ecx; ret 13_2_6C18F359

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_heb.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aafa.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlbJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\2052\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_nld.exeJump to dropped file
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1036\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordHostAdapter_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100cht.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_esn.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1028.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_ptb.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1042\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1036.dllJump to dropped file
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\wixstdba.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfcm100u.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\sqmapi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaec.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\2052\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI390E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf9.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_ita.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1042\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab00.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100ita.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_deu.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlbJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_kor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAAddInAdapter_GAC_v10_enu_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcomp100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab15.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft_VisualStudio_Tools_Applications_Hosting_v10_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_nor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100cht_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100rus_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1045\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI74A.tmpJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1033\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1044.dllJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1035.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab0f.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_jpn.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf2.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1036\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100chs_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aafe.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_amd64.enuJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_ara.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1033\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100esn_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_kor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf5.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\atl100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1045\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab04.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcp100_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_plk.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1A47.tmpJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1040.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10_GAC_amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab12.rbfJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1031.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll_GAC_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.Runtime.v10_GAC.amd64.enuJump to dropped file
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\3082\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1041.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\3082\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_rus.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_plk.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_sve.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1033.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEC1E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab0c.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1053\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100jpn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelHostAdapter_GAC_v10_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1053\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab19.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100enu_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\SetupUi.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_chs.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Excel.Adapter_Pipeline.v10.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaef.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcomp100.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_fra.exeJump to dropped file
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100kor_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1045.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1040\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1036.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI593.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100deu_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\atl100.dllJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.2052.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\SetupUi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100chs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcp100_x86Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1044\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTARuntime_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1044.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaed.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp100.dllJump to dropped file
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\bafunctions.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aafb.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab01.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Office.AddInHostAdapter.v10_Pipeline.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcr100.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_ptb.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100cht.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_fra.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCoreInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\sqmapi.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1028\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1A96.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf8.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Office.AddInHostAdapter.v10_GAC.amd64.enuJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_cht.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAServerDocument_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_ara.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_cht.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_chs.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll_Pipeline_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_sve.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1030.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_kor.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1031\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1030\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf3.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\MSVSTOContainerControl_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Outlook.Adapter_Pipeline.v10.amd64.enuJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_esn.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOContainerControl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3A29.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab16.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100fra.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_nor.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_x64.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaff.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_fin.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100u_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100jpn_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1037\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1040.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1035\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\bafunctions.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_jpn.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_fra.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1049.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI38AF.tmpJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_nld.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_dan.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_chs.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab05.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100chs_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf4.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1025\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_esn.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_cht.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_heb.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab0b.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaee.rbfJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1043.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCommonInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100kor.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.3082.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab11.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100jpn.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_sve.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_atl100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI39AB.tmpJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_x86.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100u_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_nor.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1046\SetupResources.dllJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1053.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100chs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab17.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\wixstdba.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.Runtime.v10_Pipeline.amd64.enuJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_chs.exeJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1037.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_cht.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1045.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aafc.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_jpn.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1046.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab09.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf0.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE789.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100u.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_fin.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_dan.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab02.rbfJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1033.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1049\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_plk.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1046\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100fra_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.2052.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_kor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100rus_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAAddInAdapter_Pipeline_v10_enu_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10_Pipeline.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_deu.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1037\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100fra.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_heb.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_typelib100_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1031.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Word.Adapter_Pipeline.v10.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab0e.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_vstoee_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100deu_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1043\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\1041\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfcm100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100kor.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_rus.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1041\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab14.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_ara.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1043\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1049\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOV4Framework_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VC\msdia100.dllJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1049.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_nomaf_runtime_internal_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100_x64Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1042.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_ptb.exeJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1025.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_fra.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOInstallerUI_enu_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_nld.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_dan.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf7.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab06.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_vcomp100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab10.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_deu.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_nld.exeJump to dropped file
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_fin.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab0a.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6DC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1035.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_ita.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab18.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1028.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_deu.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1053.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_GAC_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100esn.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_ara.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf1.rbfJump to dropped file
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\ProgramData\Package Cache\.unverified\VSTOR (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_heb.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab08.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10_GAC.amd64.enuJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B24.tmpJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1025\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_esn.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1040\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1044\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100jpn_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\VSTOLoader_dll_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1037.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100ita.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_ita.exeJump to dropped file
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\VSTORJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_rus.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_fin.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aafd.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1043.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_typelib90_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1046.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_ptb.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_jpn.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab03.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1031\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1030\SetupResources.dllJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.3082.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1035\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaeb.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab13.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcr100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI81F2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAHosting_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOLoaderUI_dll_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_sve.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100ita_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\SetupEngine.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab0d.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_nor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCommonImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1E21.tmpJump to dropped file
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Users\user\AppData\Local\Temp\DEL80A9.tmp (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1025.dllJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1041.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\1028\SetupResources.dllJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1042.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 44aae5.rbf (copy)Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_dan.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\VSTOInstaller_exe_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab07.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookHostAdapter_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_Pipeline_amd64Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1030.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_ita.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_rus.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\SetupEngine.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOMessageProvider_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x86.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_plk.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf6.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86Jump to dropped file
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe (copy)Jump to dropped file
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\ProgramData\Package Cache\.unverified\VSTOR (copy)Jump to dropped file
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100u_x64Jump to dropped file
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordHostAdapter_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100cht.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100chs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.Runtime.v10_Pipeline.amd64.enuJump to dropped file
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\wixstdba.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfcm100u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI390E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100ita.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAAddInAdapter_GAC_v10_enu_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcomp100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE789.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft_VisualStudio_Tools_Applications_Hosting_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100cht_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100rus_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100fra_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI74A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100rus_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAAddInAdapter_Pipeline_v10_enu_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10_Pipeline.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100fra.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100chs_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_typelib100_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100esn_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Word.Adapter_Pipeline.v10.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\atl100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_vstoee_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcp100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100deu_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1A47.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10_GAC_amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfcm100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100kor.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll_GAC_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.Runtime.v10_GAC.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOV4Framework_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_nomaf_runtime_internal_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEC1E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOInstallerUI_enu_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_vcomp100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100jpn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelHostAdapter_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100enu_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Excel.Adapter_Pipeline.v10.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcomp100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6DC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100kor_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI593.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100deu_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\atl100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_GAC_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100chs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcp100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTARuntime_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10_GAC.amd64.enuJump to dropped file
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\bafunctions.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B24.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Office.AddInHostAdapter.v10_Pipeline.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcr100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100cht.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCoreInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1A96.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100jpn_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Office.AddInHostAdapter.v10_GAC.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\VSTOLoader_dll_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100ita.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAServerDocument_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\VSTORJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll_Pipeline_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_typelib90_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\MSVSTOContainerControl_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Outlook.Adapter_Pipeline.v10.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOContainerControl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3A29.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100fra.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100u_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100jpn_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcr100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI81F2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAHosting_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOLoaderUI_dll_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100ita_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCommonImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1E21.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI38AF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100chs_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\VSTOInstaller_exe_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookHostAdapter_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_Pipeline_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCommonInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100kor.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOMessageProvider_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100jpn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc100enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_atl100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI39AB.tmpJump to dropped file
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeFile created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\VSTORJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_GAC_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_Pipeline_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10_GAC_amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll_GAC_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll_Pipeline_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf5.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft_VisualStudio_Tools_Applications_Hosting_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAAddInAdapter_GAC_v10_enu_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf6.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAAddInAdapter_Pipeline_v10_enu_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAHosting_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf7.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTARuntime_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAServerDocument_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf8.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCommonImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCommonInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf9.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOContainerControl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCoreInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aafa.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelHostAdapter_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aafb.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aafc.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookHostAdapter_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aafd.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aafe.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_nomaf_runtime_internal_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaff.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOV4Framework_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordHostAdapter_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab00.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab01.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOInstallerUI_enu_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab02.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOLoaderUI_dll_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOMessageProvider_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab03.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Excel.Adapter_Pipeline.v10.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab04.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Outlook.Adapter_Pipeline.v10.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Word.Adapter_Pipeline.v10.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab05.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10_GAC.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10_Pipeline.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab06.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.Runtime.v10_GAC.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab07.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.Runtime.v10_Pipeline.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Office.AddInHostAdapter.v10_GAC.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab08.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Office.AddInHostAdapter.v10_Pipeline.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\MSVSTOContainerControl_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab09.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_typelib100_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab0a.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_typelib90_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_vstoee_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab0b.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\VSTOInstaller_exe_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\VSTOLoader_dll_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab0c.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab0d.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab0e.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_atl100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab0f.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100chs_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab10.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100cht_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab11.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100deu_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100enu_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab12.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100esn_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100fra_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab13.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100ita_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab14.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100jpn_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100kor_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100rus_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab15.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100u_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab16.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100u_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcr100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab17.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab18.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_vcomp100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44ab19.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaeb.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaec.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaed.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100chs_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaee.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaef.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100deu_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf0.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf1.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf2.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100jpn_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf3.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100rus_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Config.Msi\44aaf4.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcp100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcp100_x64Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft Visual Studio Tools for Office Runtime 2010 Setup_20240419_025312968-MSI_vc_red.msi.txt
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1033\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1025\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\2052\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1028\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1030\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1031\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\3082\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1035\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1036\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1037\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1040\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1041\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1042\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1043\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1044\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1045\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1046\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1049\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\e4b15374fbeb09b00c2ff6ea22\1053\eula.rtf
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1025.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.2052.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1028.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1030.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1031.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1033.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.3082.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1035.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1036.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1037.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1040.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1041.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1042.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1043.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1044.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1045.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1046.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1049.txt
Source: C:\Windows\System32\msiexec.exeFile created: c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1053.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1033.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.2052.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1028.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1031.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.3082.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1036.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1040.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1041.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1042.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1025.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1030.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1035.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1037.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1043.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1044.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1045.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1046.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1049.txt
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeFile created: c:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1053.txt
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1033\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1025\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\2052\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1028\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1030\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1031\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\3082\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1035\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1036\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1037\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1040\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1041\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1042\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1043\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1044\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1045\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1046\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1049\eula.rtf
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeFile created: c:\5dbc7bbf14917454e3442522d4a6\1053\eula.rtf
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestoreJump to behavior
Source: C:\Windows\System32\SrTasks.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPPJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {56aa9754-57aa-4a26-a164-12075d94eb2e}Jump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {56aa9754-57aa-4a26-a164-12075d94eb2e}Jump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {56aa9754-57aa-4a26-a164-12075d94eb2e}Jump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {56aa9754-57aa-4a26-a164-12075d94eb2e}Jump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_heb.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aafa.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlbJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_nld.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\2052\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1036\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100cht.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordHostAdapter_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1028.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_ptb.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_esn.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1042\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1036.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dllJump to dropped file
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeDropped PE file which has not been started: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\wixstdba.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfcm100u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaec.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\2052\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI390E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaf9.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_ita.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1042\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc100ita.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab00.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlbJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_deu.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_kor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAAddInAdapter_GAC_v10_enu_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\vcomp100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab15.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft_VisualStudio_Tools_Applications_Hosting_v10_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_nor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100cht_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100rus_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1045\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI74A.tmpJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1033\SetupResources.dllJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1035.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1044.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab0f.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_jpn.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaf2.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1036\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100chs_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aafe.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1033\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_ara.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100esn_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_kor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaf5.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\atl100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1045\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab04.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcp100_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_plk.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1A47.tmpJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1040.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab12.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10_GAC_amd64.enuJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1031.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll_GAC_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.Runtime.v10_GAC.amd64.enuJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\3082\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1041.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\3082\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_rus.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_plk.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_sve.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIEC1E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab0c.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1053\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc100jpn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelHostAdapter_GAC_v10_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1053\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab19.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100enu_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\SetupUi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Excel.Adapter_Pipeline.v10.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaef.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_chs.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\vcomp100.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_fra.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100kor_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1045.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1040\SetupResources.dllJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1036.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI593.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100deu_x86Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.2052.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\SetupUi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\atl100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100chs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcp100_x86Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1044.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1044\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTARuntime_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaed.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\msvcp100.dllJump to dropped file
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeDropped PE file which has not been started: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\bafunctions.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab01.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aafb.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Office.AddInHostAdapter.v10_Pipeline.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\msvcr100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc100cht.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_ptb.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_fra.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCoreInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1028\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1A96.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaf8.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Office.AddInHostAdapter.v10_GAC.amd64.enuJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_cht.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAServerDocument_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_ara.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_cht.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_chs.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll_Pipeline_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_sve.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1030.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_kor.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1031\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1030\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaf3.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\MSVSTOContainerControl_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Outlook.Adapter_Pipeline.v10.amd64.enuJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_esn.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOContainerControl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3A29.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab16.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100fra.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_nor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaff.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_fin.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100u_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100jpn_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1040.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1037\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1035\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_jpn.exeJump to dropped file
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\bafunctions.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_fra.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1049.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI38AF.tmpJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_nld.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_dan.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_chs.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab05.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100chs_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaf4.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1025\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_esn.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100u.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_cht.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_heb.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab0b.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaee.rbfJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1043.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCommonInterfaces_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100kor.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.3082.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100jpn.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_sve.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab11.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc100enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_atl100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI39AB.tmpJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_x86.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1046\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_nor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100u_x64Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1053.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc100chs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab17.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\wixstdba.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.Runtime.v10_Pipeline.amd64.enuJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_chs.exeJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1037.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_cht.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1045.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aafc.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_jpn.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaf0.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1046.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab09.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE789.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc100u.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_fin.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_dan.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab02.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1049\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_plk.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1046\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100fra_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.2052.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_kor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100rus_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAAddInAdapter_Pipeline_v10_enu_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10_Pipeline.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_deu.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1037\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc100fra.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_heb.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1031.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_typelib100_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Word.Adapter_Pipeline.v10.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab0e.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_vstoee_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100deu_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1043\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\1041\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfcm100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc100kor.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_rus.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1041\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab14.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_ara.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1043\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1049\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOV4Framework_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VC\msdia100.dllJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1049.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_nomaf_runtime_internal_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_ptb.exeJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1042.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100_x64Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1025.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_fra.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOInstallerUI_enu_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_nld.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaf7.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab06.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_dan.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_vcomp100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab10.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_deu.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_nld.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_fin.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab0a.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6DC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1035.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_ita.exeJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1028.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab18.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_deu.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1053.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_GAC_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc100esn.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_ara.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaf1.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_heb.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab08.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10_GAC.amd64.enuJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3B24.tmpJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1025\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_esn.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1040\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1044\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100jpn_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\VSTOLoader_dll_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1037.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100ita.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_ita.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_rus.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aafd.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_fin.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1043.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_typelib90_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1046.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_ptb.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_jpn.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab03.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1031\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1030\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1035\SetupResources.dllJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.3082.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaeb.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab13.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcr100_x64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI81F2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOLoaderUI_dll_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAHosting_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100ita_x64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_sve.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab0d.rbfJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_nor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCommonImpl_GAC_nomaf_runtime_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1E21.tmpJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\1028\SetupResources.dllJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1041.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1025.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1042.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc100rus.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_dan.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 44aae5.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\VSTOInstaller_exe_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44ab07.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookHostAdapter_GAC_v10_amd64Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_Pipeline_amd64Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_ita.exeJump to dropped file
Source: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exeDropped PE file which has not been started: C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1030.dllJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_rus.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOMessageProvider_x86.3643236F_FC70_11D3_A536_0090278A1BB8Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86Jump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x86.exeJump to dropped file
Source: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exeDropped PE file which has not been started: C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_plk.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Config.Msi\44aaf6.rbfJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86Jump to dropped file
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeEvaded block: after key decision
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeEvaded block: after key decision
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeEvaded block: after key decision
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeEvaded block: after key decision
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeEvaded block: after key decision
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeEvaded block: after key decision
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeEvaded block: after key decision
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeEvaded block: after key decision
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeEvaded block: after key decision
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeEvaded block: after key decision
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeEvaded block: after key decision
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeEvaded block: after key decision
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeEvasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeAPI coverage: 8.9 %
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeAPI coverage: 9.1 %
Source: C:\Windows\System32\SrTasks.exe TID: 7932Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Windows\System32\SrTasks.exe TID: 7484Thread sleep time: -290000s >= -30000s
Source: C:\Windows\System32\msiexec.exe TID: 2208Thread sleep count: 55 > 30
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0004FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0004FF61h0_2_0004FEC6
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0004FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0004FF5Ah0_2_0004FEC6
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0097FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0097FF61h1_2_0097FEC6
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0097FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0097FF5Ah1_2_0097FEC6
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0068FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0068FF61h2_2_0068FEC6
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0068FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0068FF5Ah2_2_0068FEC6
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0019FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0019FF61h11_2_0019FEC6
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0019FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0019FF5Ah11_2_0019FEC6
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile Volume queried: C:\Windows FullSizeInformationJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\5dbc7bbf14917454e3442522d4a6\Setup.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00054440 FindFirstFileW,FindClose,0_2_00054440
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00029B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,0_2_00029B43
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00013CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,0_2_00013CC4
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_00984440 FindFirstFileW,FindClose,1_2_00984440
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_00959B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,1_2_00959B43
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_00943CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,1_2_00943CC4
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBED856 FindFirstFileExW,_free,1_2_6CBED856
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC06866 FindFirstFileW,FindClose,1_2_6CC06866
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_00694440 FindFirstFileW,FindClose,2_2_00694440
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_00669B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,2_2_00669B43
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_00653CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,2_2_00653CC4
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_001A4440 FindFirstFileW,FindClose,11_2_001A4440
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_00179B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,11_2_00179B43
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_00163CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,11_2_00163CC4
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C16D856 FindFirstFileExW,_free,13_2_6C16D856
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C186866 FindFirstFileW,FindClose,13_2_6C186866
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_000597A5 VirtualQuery,GetSystemInfo,0_2_000597A5
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULLJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packagesJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64Jump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532Jump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile opened: C:\ProgramData\Package Cache\NULLJump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULLJump to behavior
Source: SrTasks.exe, 00000014.00000002.2360481141.00000210C504F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:5
Source: SrTasks.exe, 00000014.00000003.2278930233.00000210C5051000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: SrTasks.exe, 00000014.00000003.2278930233.00000210C5051000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:o
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2894425642.00000000058F4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.2611939090.00000000058F4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2894303109.00000000071C0000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.00000000013E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.00000000013E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
Source: SrTasks.exe, 00000007.00000002.1931545404.00000234C2E47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:GG
Source: SrTasks.exe, 00000014.00000003.2278930233.00000210C5051000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:88
Source: SrTasks.exe, 00000014.00000003.2343976320.00000210C504D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:QQ
Source: SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeAPI call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeAPI call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeAPI call chain: ExitProcess graph end node
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0003E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0003E88A
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_000448D8 mov eax, dword ptr fs:[00000030h]0_2_000448D8
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_009748D8 mov eax, dword ptr fs:[00000030h]1_2_009748D8
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBE55CE mov eax, dword ptr fs:[00000030h]1_2_6CBE55CE
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBE9806 mov eax, dword ptr fs:[00000030h]1_2_6CBE9806
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC141CF mov eax, dword ptr fs:[00000030h]1_2_6CC141CF
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_006848D8 mov eax, dword ptr fs:[00000030h]2_2_006848D8
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_001948D8 mov eax, dword ptr fs:[00000030h]11_2_001948D8
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C1655CE mov eax, dword ptr fs:[00000030h]13_2_6C1655CE
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C169806 mov eax, dword ptr fs:[00000030h]13_2_6C169806
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C1941CF mov eax, dword ptr fs:[00000030h]13_2_6C1941CF
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0001394F GetProcessHeap,RtlAllocateHeap,0_2_0001394F
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0003E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0003E3D8
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0003E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0003E88A
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0003E9DC SetUnhandledExceptionFilter,0_2_0003E9DC
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00043C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00043C76
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0096E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0096E3D8
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0096E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0096E88A
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_0096E9DC SetUnhandledExceptionFilter,1_2_0096E9DC
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_00973C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00973C76
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBE1CB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6CBE1CB4
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBE9449 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6CBE9449
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CBE22CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6CBE22CC
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC0EC80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6CC0EC80
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC10F7E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6CC10F7E
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeCode function: 1_2_6CC0F173 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6CC0F173
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0067E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0067E3D8
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0067E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0067E88A
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_0067E9DC SetUnhandledExceptionFilter,2_2_0067E9DC
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeCode function: 2_2_00683C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00683C76
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0018E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0018E3D8
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0018E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0018E88A
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_0018E9DC SetUnhandledExceptionFilter,11_2_0018E9DC
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 11_2_00193C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00193C76
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C169449 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_6C169449
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C161CB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_6C161CB4
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C1622CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_6C1622CC
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C18EC80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_6C18EC80
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C190F7E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_6C190F7E
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeCode function: 13_2_6C18F173 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_6C18F173
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeMemory allocated: page read and write | page guard
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe "C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe" -burn.clean.room="C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exe" -burn.filehandle.attached=532 -burn.filehandle.self=528 Jump to behavior
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe "C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe" -q -burn.elevated BurnPipe.{22255B69-8FB0-4B58-9A37-96EAAA229CC0} {B6A53FD5-A31E-4AF8-BB77-CA62C452506E} 7336Jump to behavior
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe "C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe" /i /q /norestartJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe "C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" -burn.clean.room="C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /burn.log.append "C:\Users\user\AppData\Local\Temp\S&P_Capital_IQ_Pro_Office_20240419025210.log"Jump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe "C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe" /i /q /norestartJump to behavior
Source: C:\e4b15374fbeb09b00c2ff6ea22\Setup.exeProcess created: C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe vstor40_x64.exe /q
Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" /queue:3 /NoDependencies
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe "c:\programdata\package cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\spcapiqprooffice-1.0.24095.1.exe" -burn.clean.room="c:\programdata\package cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\spcapiqprooffice-1.0.24095.1.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /burn.log.append "c:\users\user\appdata\local\temp\s&p_capital_iq_pro_office_20240419025210.log"
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeProcess created: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe "c:\programdata\package cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\spcapiqprooffice-1.0.24095.1.exe" -burn.clean.room="c:\programdata\package cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\spcapiqprooffice-1.0.24095.1.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /burn.log.append "c:\users\user\appdata\local\temp\s&p_capital_iq_pro_office_20240419025210.log"Jump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00051719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,0_2_00051719
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00053A5F AllocateAndInitializeSid,CheckTokenMembership,0_2_00053A5F
Source: Setup.exe, 00000016.00000003.2269662808.000000000143C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000016.00000003.2596479385.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000016.00000002.2600670333.0000000001428000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerapIQProOffice-1.0.24095.1.exe)N(
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0003EC07 cpuid 0_2_0003EC07
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeQueries volume information: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\logo.png VolumeInformationJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\logo.png VolumeInformationJump to behavior
Source: C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyNameJump to behavior
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00024EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,0_2_00024EDF
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00016037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError,0_2_00016037
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_000161DF GetUserNameW,GetLastError,0_2_000161DF
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_0005887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,0_2_0005887B
Source: C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exeCode function: 0_2_00015195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,0_2_00015195
Source: C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		3
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping22
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts13
Command and Scripting Interpreter		21
Windows Service		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable Media2
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Scheduled Task/Job		1
Scheduled Task/Job		21
Windows Service		2
Obfuscated Files or Information		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Service Execution		1
Registry Run Keys / Startup Folder		13
Process Injection		1
Install Root Certificate		NTDS4
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
Scheduled Task/Job		1
Software Packing		LSA Secrets27
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		Cached Domain Credentials21
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync1
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job32
Masquerading		Proc Filesystem2
Process Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadow1
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Access Token Manipulation		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd13
Process Injection		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428493 Sample: SPCapIQProOffice-1.0.24095.1.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 24 149 Writes many files with high entropy 2->149 11 SPCapIQProOffice-1.0.24095.1.exe 3 2->11         started        14 msiexec.exe 2->14         started        16 SPCapIQProOffice-1.0.24095.1.exe 2->16         started        18 2 other processes 2->18 process3 file4 117 C:\...\SPCapIQProOffice-1.0.24095.1.exe, PE32 11->117 dropped 20 SPCapIQProOffice-1.0.24095.1.exe 79 11->20         started        119 C:\Windows\System32\vcomp100.dll, PE32+ 14->119 dropped 121 C:\Windows\System32\msvcr100.dll, PE32+ 14->121 dropped 123 C:\Windows\System32\msvcp100.dll, PE32+ 14->123 dropped 125 205 other files (none is malicious) 14->125 dropped 25 msiexec.exe 14->25         started        27 msiexec.exe 14->27         started        29 msiexec.exe 14->29         started        37 2 other processes 14->37 31 SPCapIQProOffice-1.0.24095.1.exe 16->31         started        33 conhost.exe 18->33         started        35 conhost.exe 18->35         started        process5 dnsIp6 145 96.16.60.197 AKAMAI-ASUS United States 20->145 87 C:\Windows\Temp\...\VSTOR, PE32 20->87 dropped 89 C:\...\SPCapIQProOffice-1.0.24095.1.exe, PE32 20->89 dropped 91 C:\...\SPCapIQProOffice_x86_1.0.24095.1.msi, Composite 20->91 dropped 93 2 other files (none is malicious) 20->93 dropped 151 Writes many files with high entropy 20->151 39 SPCapIQProOffice-1.0.24095.1.exe 37 11 20->39         started        43 ngen.exe 25->43         started        45 ngen.exe 25->45         started        47 ngen.exe 25->47         started        52 6 other processes 25->52 49 SPCapIQProOffice-1.0.24095.1.exe 73 31->49         started        file7 signatures8 process9 dnsIp10 103 C:\...\SPCapIQProOffice-1.0.24095.1.exe, PE32 39->103 dropped 105 C:\ProgramData\...\vstor_redist.exe (copy), PE32 39->105 dropped 107 C:\ProgramData\Package Cache\...\VSTOR (copy), PE32 39->107 dropped 115 3 other files (2 malicious) 39->115 dropped 153 Writes many files with high entropy 39->153 54 vstor_redist.exe 39->54         started        57 conhost.exe 43->57         started        59 conhost.exe 45->59         started        61 conhost.exe 47->61         started        143 173.222.249.26 AKAMAI-ASN1EU United States 49->143 109 C:\...\SPCapIQProOffice_x86_1.0.24095.1.msi, Composite 49->109 dropped 111 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 49->111 dropped 113 C:\Users\user\AppData\...\bafunctions.dll, PE32 49->113 dropped 63 SPCapIQProOffice-1.0.24095.1.exe 3 5 49->63         started        65 conhost.exe 52->65         started        67 conhost.exe 52->67         started        69 conhost.exe 52->69         started        71 3 other processes 52->71 file11 signatures12 process13 file14 95 C:\...\vstor40_x86.exe, PE32 54->95 dropped 97 C:\...\vstor40_x64.exe, PE32 54->97 dropped 99 C:\e4b15374fbeb09b00c2ff6ea22\Setup.exe, PE32 54->99 dropped 101 58 other files (none is malicious) 54->101 dropped 73 Setup.exe 54->73         started        76 vstor_redist.exe 63->76         started        process15 file16 155 Installs new ROOT certificates 73->155 79 vstor40_x64.exe 73->79         started        127 C:\...\vstor40_x86.exe, PE32 76->127 dropped 129 C:\...\vstor40_x64.exe, PE32 76->129 dropped 131 C:\...\vstor40_LP_x86_sve.exe, PE32 76->131 dropped 133 58 other files (none is malicious) 76->133 dropped 83 Setup.exe 76->83         started        signatures17 process18 file19 135 C:\...\vstor40_x64.cab, Microsoft 79->135 dropped 137 C:\...\install.res.3082.dll, PE32+ 79->137 dropped 139 C:\...\install.res.2052.dll, PE32+ 79->139 dropped 141 18 other files (none is malicious) 79->141 dropped 147 Writes many files with high entropy 79->147 85 install.exe 79->85         started        signatures20 process21

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SPCapIQProOffice-1.0.24095.1.exe0%ReversingLabs
SPCapIQProOffice-1.0.24095.1.exe0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
44aae5.rbf (copy)0%ReversingLabs
44aae5.rbf (copy)0%VirustotalBrowse
C:\5dbc7bbf14917454e3442522d4a6\1025\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1028\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1030\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1031\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1033\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1035\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1036\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1037\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1040\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1041\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1042\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1043\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1044\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1045\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1046\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1049\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\1053\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\2052\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\3082\SetupResources.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\Setup.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\SetupEngine.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\SetupUi.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\sqmapi.dll0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_ara.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_chs.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_cht.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_dan.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_deu.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_esn.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_fin.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_fra.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_heb.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_ita.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_jpn.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_kor.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_nld.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_nor.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_plk.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_ptb.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_rus.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_sve.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_ara.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_chs.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_cht.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_dan.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_deu.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_esn.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_fin.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_fra.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_heb.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_ita.exe0%ReversingLabs
C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_jpn.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor0%URL Reputationsafe
http://appsyndication.org/2006/appsyn0%URL Reputationsafe
https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/Prereqs/NDP48/ndp48-x86-x0%VirustotalBrowse
https://www.capitaliq.spglobal.cn/0%VirustotalBrowse
https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/PluginManager-1.0.20%VirustotalBrowse
https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/Prereqs/VSTOR2010/vstor_r0%VirustotalBrowse
https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/OfficeTools-x86-1.00%VirustotalBrowse
https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/Prereqs/VC_REDIST/vc_redi0%VirustotalBrowse
https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/OfficeTools-x64-1.00%VirustotalBrowse
https://www.capitaliq.spglobal.co1%VirustotalBrowse
http://schemas.microsoft.0%VirustotalBrowse
http://go.microsoft.co1%VirustotalBrowse
https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/SPCapIQProOffice-x80%VirustotalBrowse
https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/SPCapIQProOffice-x60%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://wixtoolset.org/schemas/thmutil/2010g_VSTSPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/Prereqs/VC_REDIST/vc_redBootstrapperApplicationData.xml.1.drfalse
      		high
      https://www.capitaliq.spglobal.com/apiservices/office-tools-serviSPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://wixtoolset.org/schemas/thmutil/2010SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889517822.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889695011.0000000003710000.00000004.00000800.00020000.00000000.sdmp, thm.xml.13.drfalse
          		high
          https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/PluginManager-1.0.2SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931925320.0000000000C42000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1934087160.0000000000C44000.00000004.00000020.00020000.00000000.sdmpfalseunknown
          https://www.capitaliq.spglobal.cSPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/Prereqs/VSTOR2010/vstor_SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930159833.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2889008138.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889517822.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1996686802.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889960960.0000000003B18000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/en-US/SPCapIQProOffice-xBootstrapperApplicationData.xml.1.drfalse
                		high
                http://go.microxSetup.exe, 0000001D.00000003.2482553908.000000000147F000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://www.capitaliq.spglobal.cn/apiservices/offSPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032193426.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032900367.0000000001084000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://www.capitaliq.spglobal.cn/SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001263000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001238000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933865731.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930450152.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932358478.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933865731.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931854743.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2889008138.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                    https://www.capitaliq.spglobal.cn/apSPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://www.capitaliq.spglobal.cn/3SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://www.capitaliq.spglobal.com/&DSPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.00000000007F8000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://go.mSetup.exe, 00000016.00000003.2197466109.000000000141B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001D.00000002.2576934358.0000000003240000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://www.capitaliq.spglobal.com/j_SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2894425642.00000000058F4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.2611939090.00000000058F4000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://www.capitaliq.spglobal.cn/-lSPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/Prereqs/NDP48/ndp48-x86-xSPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930159833.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Co_SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/Empower/empower-1.0.2409SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001060000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001038000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.capitaliq.spzSPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/Prereqs/VSTOR2010/vstor_rSPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930159833.0000000002E4C000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                      https://www.capitaliq.spglobalSPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://www.capitaliq.spglobal.cn/apiservicesSPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://www.capitaliq.spglobal.SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/en-US/O;=SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933865731.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932358478.0000000000C34000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/ConSPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.capitaliq.spglobal.cn/apiservices/of=SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933865731.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932358478.0000000000C34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/OfficeTools-x86-1.0SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930048010.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                                  https://ecs.syr.edu/faculty/fawcett/handouts/Coretechnologies/WindowsProgramming/WinUser.hSPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2890706092.0000000002B30000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889517822.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, thm.xml.13.drfalse
                                                    		high
                                                    https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/en-US/OfficeTools-x64-1.SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930048010.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.capitaliq.spglobal.com/G~SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.2611939090.00000000058E5000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2894425642.00000000058E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://go.microsoft.coSetup.exe, 0000001D.00000003.2482553908.000000000147F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                        https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/Prereqs/VC_REDIST/vc_rediBootstrapperApplicationData.xml.1.drfalseunknown
                                                        https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/OfficeTools-x64-1.0SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932156175.0000000000C3E000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                        https://www.capitaliq.spglobal.com/apiservices/offiQBSPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.capitaliq.spglobal.com/apiservices/office-tooSPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933865731.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932358478.0000000000C34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.capitaliq.spglobal.com/apiservices/office-t7BSPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.microsoft.Setup.exe, 00000016.00000002.2600526077.0000000001416000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                              https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/Empower/eSPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001060000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgorSPCapIQProOffice-1.0.24095.1.exefalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.capitaliq.spglobal.com/SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2894303109.00000000071C0000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.0000000001348000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.00000000013BF000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032193426.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001038000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2894044221.0000000003660000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001091000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032900367.0000000001084000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.capitaliq.spglobal.coSPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032193426.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032900367.0000000001084000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                  https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/en-US/OfficeTools-x86-1.SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930048010.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2889008138.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1996686802.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889960960.0000000003B18000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889695011.0000000003710000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.000000000136E000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889960960.0000000003B22000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.capitaliq.spglobal.cn/wSPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.0000000001348000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/CSPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032193426.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032900367.0000000001084000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://www.capitaliq.spglobal.com/apisSPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.capitaliq.SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://wixtoolset.org/schemas/thmutil/2010(SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889695011.0000000003710000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.capitaliq.spglobal.cn/r_CN_1.0.24095.1.msiSPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/en-US/PluginManager-1.0.SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2889960960.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2882904243.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032193426.0000000001084000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2884729362.0000000001038000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000002.2894044221.0000000003660000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000010.00000003.2032900367.0000000001084000.00000004.00000020.00020000.00000000.sdmp, BootstrapperApplicationData.xml.1.drfalse
                                                                                  		high
                                                                                  http://ocsp.digSPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2894303109.00000000071C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://www.capitaliq.spglobal.com/apiservices/office-tools-service/Content/Prereqs/NDP48/ndp48-x86-SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930159833.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.capitaliq.spglobal.com/S_mSPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2894425642.00000000058F4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.2611939090.00000000058F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.capitaliq.sSPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/SPCapIQProOffice-x8SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001291000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1930048010.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932156175.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                                          https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/Content/en-US/SPCapIQProOffice-x6SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630207902.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2888186888.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000002.2883590175.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000000.00000003.1630373970.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2886220545.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2891213065.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000002.2892239144.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.2027015327.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1675920250.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2884277947.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000002.2891582603.0000000003480000.00000004.00000800.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000002.00000003.1676056198.0000000001284000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932045913.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933988321.0000000000C3C000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                                          http://crl3.digicSPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000002.2894303109.00000000071C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://www.capitaliq.spglobaSPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935412502.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000D.00000003.1935258122.0000000001395000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://www.capitaliq.spglobal.cn/apiservices/office-SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000002.1933865731.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1928049730.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1927825834.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1931257225.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000B.00000003.1932358478.0000000000C34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://www.capitaliq.spglobal.com/apiservices/office-tools-service/CSPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929249126.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000002.2883587516.0000000000846000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 0000000C.00000003.1929606614.0000000000846000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.capitaliq.spglobal.cn/apiservices/office-tools-service/ConteSPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634078534.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SPCapIQProOffice-1.0.24095.1.exe, 00000001.00000003.1634159978.0000000000C05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://appsyndication.org/2006/appsynSPCapIQProOffice-1.0.24095.1.exefalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown

                                                                                                    World Map of Contacted IPs

                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs

                                                                                                    Public IPs

                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                    173.222.249.26
                                                                                                    		unknownUnited States
                                                                                                    		20940AKAMAI-ASN1EUfalse
                                                                                                    96.16.60.197
                                                                                                    		unknownUnited States
                                                                                                    		16625AKAMAI-ASUSfalse

                                                                                                    General Information

                                                                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                                                                    Analysis ID:1428493
                                                                                                    Start date and time:2024-04-19 02:51:22 +02:00
                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                    Overall analysis duration:0h 12m 44s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:full
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                    Number of analysed new started processes analysed:51
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:1
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample name:SPCapIQProOffice-1.0.24095.1.exe
                                                                                                    Detection:SUS
                                                                                                    Classification:sus24.rans.evad.winEXE@77/696@0/2
                                                                                                    EGA Information:
                                                                                                    • Successful, ratio: 100%
                                                                                                    HCA Information:
                                                                                                    • Successful, ratio: 100%
                                                                                                    • Number of executed functions: 119
                                                                                                    • Number of non-executed functions: 258
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .exe

                                                                                                    Warnings

                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, VSSVC.exe, svchost.exe
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                    • Report size getting too big, too many NtCreateFile calls found.
                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                    • Report size getting too big, too many NtSetValueKey calls found.
                                                                                                    • Skipping network analysis since amount of network traffic is too extensive

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    01:52:31AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {56aa9754-57aa-4a26-a164-12075d94eb2e} "C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" /burn.runonce
                                                                                                    01:54:12AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sync C:\Program Files (x86)\SP Global Market Intelligence\SP Capital IQ Office\Empower\empower\sync\empowerSync.exe
                                                                                                    02:52:29API Interceptor59x Sleep call for process: SrTasks.exe modified

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    No context

                                                                                                    Domains

                                                                                                    No context

                                                                                                    ASNs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    AKAMAI-ASN1EUhttps://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5Get hashmaliciousRemcosBrowse
                                                                                                    • 23.11.229.233
                                                                                                    9IseFevRH6.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 184.27.120.54
                                                                                                    E3kpuuuOfy.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 172.232.16.200
                                                                                                    SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeGet hashmaliciousGlupteba, PureLog Stealer, zgRATBrowse
                                                                                                    • 23.53.13.176
                                                                                                    https://flow.page/resourcepro.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 172.233.110.226
                                                                                                    http://cf-ipfs.comGet hashmaliciousUnknownBrowse
                                                                                                    • 23.0.175.192
                                                                                                    lNd2199wA7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                    • 118.214.179.52
                                                                                                    SimpleLapsGui_v1.2_Exe.zipGet hashmaliciousUnknownBrowse
                                                                                                    • 23.55.253.34
                                                                                                    https://webex-install.comGet hashmaliciousNetSupport RATBrowse
                                                                                                    • 23.194.116.25
                                                                                                    You have a newly assigned document from Frey Navarro P.L.L.C. .msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 96.7.224.9
                                                                                                    AKAMAI-ASUShttps://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5Get hashmaliciousRemcosBrowse
                                                                                                    • 184.31.61.57
                                                                                                    tA6etkt3gb.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                                    • 23.44.104.130
                                                                                                    BzmhHwFpCV.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 172.225.191.4
                                                                                                    dPFRrhKTeG.elfGet hashmaliciousUnknownBrowse
                                                                                                    • 88.221.207.232
                                                                                                    0001.docGet hashmaliciousDynamerBrowse
                                                                                                    • 23.44.104.130
                                                                                                    PO_983888123.xlsGet hashmaliciousUnknownBrowse
                                                                                                    • 23.36.68.10
                                                                                                    SA162.pdf.download.lnkGet hashmaliciousUnknownBrowse
                                                                                                    • 23.63.158.36
                                                                                                    SA161.pdf.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                    • 23.46.201.17
                                                                                                    Factura_SA161.pdf.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                    • 184.31.60.185
                                                                                                    E3kpuuuOfy.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 104.114.141.6

                                                                                                    JA3 Fingerprints

                                                                                                    No context

                                                                                                    Dropped Files

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    44aae5.rbf (copy)https://dl.silhcdn.com/1dc240dfb4eb6c5fGet hashmaliciousUnknownBrowse
                                                                                                      https://storage.googleapis.com/vectric_public/Cut2DDesktopTrialEdition_Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                        NSD_5.20_2023081417.exeGet hashmaliciousUnknownBrowse
                                                                                                          NSD_5.20_2023081417.exeGet hashmaliciousUnknownBrowse
                                                                                                            setup.exeGet hashmaliciousUnknownBrowse
                                                                                                              1000a.msiGet hashmaliciousUnknownBrowse
                                                                                                                SecuriteInfo.com.FileRepMalware.32132.13137.exeGet hashmaliciousDanaBotBrowse
                                                                                                                  LaZagne.exeGet hashmaliciousPython StealerBrowse
                                                                                                                    Advanced_IP_Scanner.exeGet hashmaliciousDanaBotBrowse
                                                                                                                      Advanced_IP_Scanner.exeGet hashmaliciousDanaBotBrowse

                                                                                                                        Created / dropped Files

                                                                                                                        44aae5.rbf (copy)

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):608080
                                                                                                                        Entropy (8bit):6.297676823354886
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:koBFUsQ1H5FH3YUTd/df0RA7XkNvEKZm+aWodEEiblHN/:dFUsQ1H5FHdGKkNvEKZm+aWodEEcHN/
                                                                                                                        MD5:D029339C0F59CF662094EDDF8C42B2B5
                                                                                                                        SHA1:A0B6DE44255CE7BFADE9A5B559DD04F2972BFDC8
                                                                                                                        SHA-256:934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C
                                                                                                                        SHA-512:021D9AF52E68CB7A3B0042D9ED6C9418552EE16DF966F9CCEDD458567C47D70471CB8851A69D3982D64571369664FAEEAE3BE90E2E88A909005B9CDB73679C82
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                        Joe Sandbox View:
                                                                                                                        • Filename: , Detection: malicious, Browse
                                                                                                                        • Filename: , Detection: malicious, Browse
                                                                                                                        • Filename: NSD_5.20_2023081417.exe, Detection: malicious, Browse
                                                                                                                        • Filename: NSD_5.20_2023081417.exe, Detection: malicious, Browse
                                                                                                                        • Filename: setup.exe, Detection: malicious, Browse
                                                                                                                        • Filename: 1000a.msi, Detection: malicious, Browse
                                                                                                                        • Filename: SecuriteInfo.com.FileRepMalware.32132.13137.exe, Detection: malicious, Browse
                                                                                                                        • Filename: LaZagne.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..-`..~`..~`..~i.4~b..~{.;~c..~`..~...~..?~a..~{.9~a..~{..~P..~{..~Y..~{..~e..~{.<~a..~{.=~a..~{.:~a..~Rich`..~........................PE..d.....M.........." .........f.......q........cy..........................................@.............................................m......<....P...........=...0..P....`.......................................................................................text............................... ..`.rdata..-...........................@..@.data...0L.......8..................@....pdata...=.......>..................@..@.rsrc........P......................@..@.reloc..R....`......................@..B........................................................................................................................................................................................................................................

                                                                                                                        44ab1a.rbf (copy)

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):38
                                                                                                                        Entropy (8bit):4.0933405928928694
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:HRDM3iJKRLMFn:bJKRLkn
                                                                                                                        MD5:F9A33365723B91ABF48A528E706D70ED
                                                                                                                        SHA1:D8DA1A19A69D745036EA7983BDC90F031FE9110C
                                                                                                                        SHA-256:676A9E17268E14567B5B2220244F5AB740A61CAB62BC02DE6126854B8382D7CA
                                                                                                                        SHA-512:5F650CE53F793FF0E7B0054C0253684A61FE4C282A4D2412A3AB5C3801B2D60C54BE6459ED019780A969916ADF497C0EEDE7F67A19A2E9B0004181D1E5E84D38
                                                                                                                        Malicious:false
                                                                                                                        Preview:"Dummy File, for installation only" ..

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\$shtdwn$.req

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):788
                                                                                                                        Entropy (8bit):0.09823380614560741
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:lbll/:lB
                                                                                                                        MD5:DF7119A5D3CAEDA80BF0FB6F8E53DE8F
                                                                                                                        SHA1:76458E1D2E0FA4519FACB71A5F23F8799713BE2B
                                                                                                                        SHA-256:3C418A401CBE09F64EDE6E598C5CA36717830446147C8EF6327168EDC7B1CB0C
                                                                                                                        SHA-512:85142D1942111783303FA060348BC76B1DD361336DCCC9DC9CDD3432EC6CF215756CBA66A367E560C9D5719BA4F585434319A66D9A97D9A09F5AC4A752B00B6C
                                                                                                                        Malicious:false
                                                                                                                        Preview:Sdwn................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1025\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1025\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):18080
                                                                                                                        Entropy (8bit):5.766442508142232
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:ox2SX2vPzBrSxWkeWDaCIc3q0GftpBjv8:OlNNi6
                                                                                                                        MD5:D8593BACB734BB0183C6D100739D61F5
                                                                                                                        SHA1:DCBA9A329BEA4826B69AD637EB403D5BFAD5A64E
                                                                                                                        SHA-256:EDEABC58C2C151A667A053E7AFF0D792F17306DF14FFC4C427266842F791F94A
                                                                                                                        SHA-512:CD2C28E7F75421461A9815FB4E4CBF2A8F9A6CC2725577FDF606426F949923612056A7065B23254B1E9AEE06F351EB8927ED0AA79380855F5EA5B619B0FBBDB9
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........(...............................................P......1<....@.......................................... ...$...........,...............................................................................................text...G...........................@..@.rsrc....0... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1025\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):159122
                                                                                                                        Entropy (8bit):4.973733509322075
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:Rzh9hPd5MnYK3Tj7xS+MiPf8b7Qh+C6zs8kWblFl6KRDqP4eLRSTU8elKlDpsgjH:RzlCDCylpPrOaaFlRwE
                                                                                                                        MD5:CF60C7C03A7259D88E99E56389513BDB
                                                                                                                        SHA1:B0C24D71598775AA8024FAA2BA538CDB7EE8E62A
                                                                                                                        SHA-256:7CD420D6C323EC36FEB967AA3334AB36129C2CE5F8699F9D1B17B11CDE307874
                                                                                                                        SHA-512:4452CE62AC4F0BD6BB5ABA24128110958E6AAE8C07C11F963B04469EE39880E6AB38A1FB8EDCDB3B54A4D81CAECADE47CD876C96CDC4BB778405B550F3823DC4
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????\'a8\'ac???};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f367\fbidi \fswiss\fcharset0\fprq2{\*

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1028\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1028\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):15008
                                                                                                                        Entropy (8bit):6.106786298419671
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:rzuwLmlCW1g+/kmXWpnEWvaCIc3q0GftpBjLV:0lpffG3iVV
                                                                                                                        MD5:33C45551F18E80F8258E1ED07ECAF727
                                                                                                                        SHA1:E7A04454C093CA0DEC56B02E868E151109597F8C
                                                                                                                        SHA-256:F7F5CCF7B3C0014073E35662FF64B6E6B12B3CC0AC614E0AE761E9FB7B2F46DB
                                                                                                                        SHA-512:9F355569CF6F2E945611DC907A792239881226BFBF01BC3E69A4F21E4512F9F3B35E15A1784E8279E14FCC296B9A3EE656E4F07C564FE2A5D3F0AFFDA9F7F9B7
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........................................................@............@.......................................... ..\............ ...............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1028\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):189807
                                                                                                                        Entropy (8bit):4.988103229844314
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:+xJtNoEXbnjdNxVn5oI7iQyI+zrlMcEUAm7lLhfp+L4RJAcJXQTGZBENr5ztQHKU:ObjdNxVn5oI7iQyI+zrlMcEUAm7lLhff
                                                                                                                        MD5:DA544E5765610415F7B85EAAF2BAB48D
                                                                                                                        SHA1:EA7891A3A703571102760ED68CE595F105F78EEE
                                                                                                                        SHA-256:948292A99026D7A150973902BAAFD55CB19465CD1A74765D593B091B92B48E1F
                                                                                                                        SHA-512:DD378C07E9F77B3B5BEF29AD3B3BBE0AD23B9C3BB129FE8E25FC2CB6262AF01F6C3B8F371796F026B5DAD32E4AB17F2B75AA36EEE0110A8D70EFDC196AE9B7D8
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch14\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f14\fbidi \froman\fcharset136\fprq2{\*\panose 02020500000000000000}PMingLiU{\*\falt \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \f

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1030\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1030\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19104
                                                                                                                        Entropy (8bit):5.3920443507238165
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:2BX61hALPTIOCWp9feWPfEQq0GftpBjwfB:28kPFiGJ
                                                                                                                        MD5:34517F671E26E214CE928D76DA001255
                                                                                                                        SHA1:BB1DDB8101E34E35FA49724BADEC2DA951783C05
                                                                                                                        SHA-256:3F86499FF5F2D0019ADEA53B022242869AA1FDDC76D37E90A96F13C064D88012
                                                                                                                        SHA-512:6DBF8AB7AF29BEB8EA02C8C8193A50F037F56DD7911D4EAE1BB101475188D74A5C82200677DF1BB186BBF528206364D3C38D102C35B94E958B6D0461F9BF64D9
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........,...............................................P......Uo....@.......................................... ..((...........0...............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1030\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):168158
                                                                                                                        Entropy (8bit):5.010437753886654
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:vInJ+MjXrRJAezEDuiCEmYOUK/IbBRZQGZOH52j:A06Gn
                                                                                                                        MD5:8A30BE24777F3FF5C8A8078D423ECBCF
                                                                                                                        SHA1:6FFCE07D713114494FDB168E6EF069C5384B40EC
                                                                                                                        SHA-256:843C9B45DDC3A402269E28919823ABF1C82E6D13BBFF6EE25A317010446F1694
                                                                                                                        SHA-512:53E5FA45CA3FB5BD38757193B2FD932695A38D823A2276BF009167FF7E52EA1EB0C2C8E939438688C7D0A42B0C2E8B15AC0385BE5E418B66C3C31E182E546A73
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*\

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1031\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1031\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19616
                                                                                                                        Entropy (8bit):5.29186903928536
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:Xc16m3rhGrcHN/USYvYVABWKieWcfEQq0GftpBjR:XwhCSVYvYVA0cFiX
                                                                                                                        MD5:9308820ADFB98BF18E98DA8088070500
                                                                                                                        SHA1:D8DFE0542A0590C7DAE08AD798540AC910476616
                                                                                                                        SHA-256:A712BD7F6139C0354001B3A58278AB98BEBEB4EEBFD05FE1465ED277AA090B8A
                                                                                                                        SHA-512:36100BD238F8E9FD21761F5415741170D4E5FCBCE1E60414BFBDEB89E285C183FC32A6A156864A31BA09964B3B04E8D55E39E6743A7A4C16A303A19C6FDE1C4E
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........................................................P......w;....@.......................................... ..d+...........2...............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1031\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):144106
                                                                                                                        Entropy (8bit):5.04416582801015
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:N5gEPm3ERiA7JzI3ilBEBr97dQnKG5zpZ27KNz:rt
                                                                                                                        MD5:20698F43906A615DA1AD18FAF5334F9D
                                                                                                                        SHA1:7DF1637485954C478ED316A148E6C5528B7D12B2
                                                                                                                        SHA-256:960422F2172B73D84F1D013FF11355202E4B6CB1C33CE0DF9149735E191C07CA
                                                                                                                        SHA-512:6EFBB5B7ABCB5AC41A71E5E3241BA833E0CFC355D6E6A56199F55F83FB2E6D127074ECC9B13378EC2C3C4DD37FE934A93814FCC8D7F15698DCAAB2A450EB9D95
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial{\*\falt Arial};}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 02

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1033\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (581), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):40284
                                                                                                                        Entropy (8bit):3.5377528456795426
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4XkNf3hyhJ7qevmf9MhBmWVwzWsOIf4QVSru9SJOkR6NXaxu:gkl3hG9mf94BmWVEWBIgQ0raSJM7
                                                                                                                        MD5:FE6F7C73707C607D9F520C17E73C6B5D
                                                                                                                        SHA1:4DAB1FA7809BCAFBABD9431702068A861E39F1C6
                                                                                                                        SHA-256:1E18479BCA633D81EA61A4251986DF8B801ED9327A2CD14C86093D7F9A774AC4
                                                                                                                        SHA-512:D4608B264771E99249C1B0250319DEAF43CB40251C718B682F696F4E9CEB27EC23A0CA1969DF4A6222BA48755BC6ED0680DD675B7215250B82462649B3FC24C0
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1033\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):18080
                                                                                                                        Entropy (8bit):5.322153302544614
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:mgofWpkeWZ9ygC/TfFkWfEQq0GftpBj+FX:+j4/DFFiu
                                                                                                                        MD5:ED86491EB017DB64F2BD735607AE4DC2
                                                                                                                        SHA1:5F5CA1AA92340D52C91E4C8DF1F6B3AAA8260DE7
                                                                                                                        SHA-256:281654582D6912A994B3D649B89FDC0B9BB1E5FF751D0165BDF35F6F4E89A786
                                                                                                                        SHA-512:E33A3A9091F28F7B5E4D93AEA54577A321092E9C42BC15FB8F2996F4F657C42D6F2F9C0437A9057B4740C2DD00A939A53445D1A364F87C8F488E2CC0E29C04AB
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........(...............................................P.......b....@.......................................... ...%...........,...............................................................................................text...G...........................@..@.rsrc....%... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1033\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):163998
                                                                                                                        Entropy (8bit):5.016380895489512
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:h3AxL/D7r21XgRJA8J/snalBEm0OgKXIJR10GZybh2md:RAPd
                                                                                                                        MD5:C51CC1E49358A7AD3A498B737F642A2F
                                                                                                                        SHA1:96540D2327C47603D6269F1BCE72132EC0F7D3B8
                                                                                                                        SHA-256:7054959C27F600CF5EF0F748E294BA3E529CD825F12246777AA6F6EF476E556D
                                                                                                                        SHA-512:420B607FAC7F3D9A417323EC70652956D238A4742F383BBAB7E26BC3E4DFA8F8B3F040644CB9124E9B4B21153C4EBD12DB92BE5EC90A2F56FDBFA57D43080335
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1035\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1035\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19104
                                                                                                                        Entropy (8bit):5.327661667381336
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:91kinUfwVWVRdufl0fXA1Z1j93S0WHpdcIirs442QzWMkeWjlqSya6HIp24uDBk2:9i16Lwz51VWMkeW4aCIc3q0GftpBjrC
                                                                                                                        MD5:756D11A756A878D6AF0536760B2E12B2
                                                                                                                        SHA1:E87A302DDF02CA34818880BDA124FC7D68AAD098
                                                                                                                        SHA-256:4F4B5A16924C531C9DDCA1E09B32B54BDAD5723FF1649906AA20ADDE214D69F3
                                                                                                                        SHA-512:5D2BF6E1C9B959BF8317F51004B6C735C00FFD2C3DB023E3CA9023913FDBEBA4AA754FFBF73300E7D551541F0408732E190745F18FE43E4ACE1DBD96E2DC92D9
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........,...............................................P......f.....@.......................................... ..|)...........0...............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1035\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):155201
                                                                                                                        Entropy (8bit):5.032612994966786
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:K5H34RJAcJXQTGZBENr5ztQHK6u8GiSc90:YHh
                                                                                                                        MD5:9B168D32CB33CF79723A4D8C134EA249
                                                                                                                        SHA1:4C0AC8E205D5069A4FFE45335512EB09549F95D2
                                                                                                                        SHA-256:4C25A4B4AF5ADD754116C34DC875185C15B1947F58A27BB30CA9ADF06820F470
                                                                                                                        SHA-512:88D143FC8D766D48578A0250F67A3D6FCACD737651EF34F270C016D162F284BACE99081BB0AE88F6CA9299A2F197125195B2754BA30C78B1C6D9510E2681C221
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1036\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1036\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19616
                                                                                                                        Entropy (8bit):5.271105830776341
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:snZ66AY9li3OoDDkbmWpAeWjaCIc3q0GftpBjKf:sLfiZDgmtig
                                                                                                                        MD5:8FA521DE84995A6F89B0D81370D6E1EC
                                                                                                                        SHA1:06F5E034D53DC037EA3E1966FB7B9F0144CB834D
                                                                                                                        SHA-256:846EEDEC28A5A16807874A7CF92A855970B089BD010AA2FAA982D25CFB9D1445
                                                                                                                        SHA-512:BE1639DAE1B52F12B15F6B25962D5E0ED42E9A3A87B3EEC90E844956A56AAA468AC9E6EDECF5BF91B1ACDE3FA6E4F81D0F9093B9AB189DB20F5D88E3E8377977
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........................................................P............@.......................................... ...+...........2...............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1036\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):160816
                                                                                                                        Entropy (8bit):5.023465722024373
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:hk18qMRJAwJjAXetBE1rRbe+KusGWqcJ2f:m5
                                                                                                                        MD5:40188EB3E79733C3E9D36A9A9C072E78
                                                                                                                        SHA1:B07CCC42A94A1142A37DAF45A850910F497645FE
                                                                                                                        SHA-256:4F24556B2960559B93A0C5B1FB5145432D2AD225692BBD2BC92C1A30453340FA
                                                                                                                        SHA-512:55868E710AA593C597AEA8E975A9665A642B3CFAEF18363D77FDE7E7DA17EB4A19B5A491718E73F071E58169683EFE13CA495771E36018D73CC9F6F22C8BC242
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1037\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1037\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):17568
                                                                                                                        Entropy (8bit):5.878590477877689
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:fAXkdHUfwVW13jowXiTeISvjpHawC1MWWeWlGLeuDBks/nGfe4pBjS7anTnfV:fl06Qrw5MWWeWA5q0GftpBjHnzV
                                                                                                                        MD5:8718207FFF4D5305CE6F82260223AA63
                                                                                                                        SHA1:CAF4EE4AF63DD1C3DB1365F10100E27072A5EF80
                                                                                                                        SHA-256:A0104CF7F6AAEA161353A0751F63793F579FDBA14177932E92A2864D67C5BADE
                                                                                                                        SHA-512:CE26CEA5B8D9C452A688E46965D1FFE82279B46CC98F00F9369986ABAA1A91EB94495810E39C73D8E61584DD084D1269150950B934C2F206D888BE06D659CC18
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........&...............................................P......e.....@.......................................... ..."...........*...............................................................................................text...G...........................@..@.rsrc....0... ...$..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1037\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):143461
                                                                                                                        Entropy (8bit):4.992111412514566
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:4zhUUVMeNkfjGuVjvxY7uCEM7TZe0cFhxHy5qnWi+iJyuinVZDJzQC69V72nOA3+:4ur0mw/5O6xY
                                                                                                                        MD5:79036650E9DF1891C51E4F4CF8D718FB
                                                                                                                        SHA1:43CFB5EC1E920AA2E669FB9DBC562C7CCF2F79AF
                                                                                                                        SHA-256:3B7E74C398477F6EBAD95433C66D58348579C5335ADC5F2C1FB206DF4CE7D8B9
                                                                                                                        SHA-512:DEF270B07B64DE1ABD8E09309279A96FBF023263560EB7C554396B16559640106AF8E2AFD2871F1A6688659AED3C899EB32EC09848C042B2014786BF4C4854B9
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ????????\'a1\'a7?????};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f367\fbidi \fswiss\fcharset0\fprq2

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1040\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1040\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19104
                                                                                                                        Entropy (8bit):5.307480013444462
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:jnn6Tg7AtONBKHno5FWneWFy36q0GftpBju:jbAbsa8kiU
                                                                                                                        MD5:FC964FEADD0EB41C1CD44E78B80C2B23
                                                                                                                        SHA1:DB4923583685B4DAC8C81A5A0DA0CF6A6C1EBED8
                                                                                                                        SHA-256:670009D4F0C9B4191DF8DAA660303EA55F68D510100B3CA280C5BAC8B8639F44
                                                                                                                        SHA-512:E0AE9B71611535BDBBD859161ED2F05C1E1BBC8835D0B53BB05680082967499C06F9FCE66751399B9CB770C3DB5C8D78FDC1B2EEC1106BC888621E80D852AD3A
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........,...............................................P............@.......................................... ...)...........0...............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1040\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):185981
                                                                                                                        Entropy (8bit):5.006970219166777
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:vYu899MRJAwJjAXetBE1rRbe+KusGWqcJ2r:oV
                                                                                                                        MD5:537C50EFA2C96FFCA241D59141A76A81
                                                                                                                        SHA1:8EFA6A6EF3C53C96E323D461C4AA5E60E1D45289
                                                                                                                        SHA-256:8C0CE4C5FDF6531FA12E68B6408B8DB8811DE7BA8276585FF328B374F8381B5C
                                                                                                                        SHA-512:625099D981579A4074BE8CD4E97B70468F4D14B0BEEEB674CAA74D54E1CCF6236ED37DCF77A42633AFFA0C0637194BAD30467E5F082B39D5DD0E99E252BBAC53
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*\

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1041\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1041\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):16544
                                                                                                                        Entropy (8bit):6.057737660734426
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:DhC7mS53JkNuW5UEWXaCIc3q0GftpBjBA:OmSkAji/A
                                                                                                                        MD5:05DC63F5BA455A4F71351C40F709D836
                                                                                                                        SHA1:7CA7A532679CD00B92C2FE7459ABE83FDD9B8108
                                                                                                                        SHA-256:74A4B386AEFB9AE7E01F8E61F576AAEB70EECEA4200B6AF4EA984B6A23BDE95E
                                                                                                                        SHA-512:AB9541A83404DCF303BEAE07D0A502F3DA149560416D5EB493E31F641660CC09CC5F8D7E57C3373DF8A2D926DB8B5A1BB8AE6CC7FFF1D8354B2ADD080215ED9E
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!........."...............................................@......E.....@.......................................... ..l............&...............................................................................................text...G...........................@..@.rsrc.... ... ... ..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1041\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):185073
                                                                                                                        Entropy (8bit):4.95667011370172
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:wdz8RJH7J3g7i1BE5rBvNQnKSusdZOc5Jw:c
                                                                                                                        MD5:2BDE42A55EEC09AD183F8FCF278337FC
                                                                                                                        SHA1:879D01F5D4B5F5668E012D6EB33D3717FF9ECB04
                                                                                                                        SHA-256:829717D58EF665B46B77ADD1A2F9AC55423963F1F732FE3D9ABB0B72350598D0
                                                                                                                        SHA-512:8CB7F9AC06DE808E906A72C3DDB67BF3077E9BC79A67E9F2489EF5756269B15C32732BA6F0B1F37B1CAD8551E5B186BF943E4AF3C6A8A09BAE3BBFAFF3DC383C
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial{\*\falt Arial};}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1042\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1042\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):16032
                                                                                                                        Entropy (8bit):6.10084617158501
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:xpix6f+jYxzekdPKNS0N7gVCAgWpyeWmDFI/duDBks/nGfe4pBjS7UlPeg:libMj0lgRgWpyeW+ywq0GftpBjZlP/
                                                                                                                        MD5:53F62CD74599E622641EE9CD23620790
                                                                                                                        SHA1:8D7419E7A009CEB5F81D4B0893EF3A40487E8FB8
                                                                                                                        SHA-256:42715FFF862879575B4042EA6ECDBCDE5CB68F673D6C9795B8670DF9C6C821A0
                                                                                                                        SHA-512:FBF835D529A7DAB2F48D4D66C79ED60683BE96EE0D8DDF971A3499ABE520808975CD720E2693E00A64512D6C3D4F0DB28F45AE7087D7B2F621C911CBA0003243
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!......... ...............................................@............@.......................................... ...............$...............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1042\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):363487
                                                                                                                        Entropy (8bit):4.840413724364087
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:SWqnIeJA7VHLWiiEmQO/xvI1RhFZiLKd8:qj
                                                                                                                        MD5:231BCDD91D4BEAAEC841FBB5BEF8177E
                                                                                                                        SHA1:14848888FCF9E80C8D832C682A33C3038E9DAFFF
                                                                                                                        SHA-256:EE213E9C14D1391F0D0771F0E672A0C5804C8E57B989E5C199C290CC498051A4
                                                                                                                        SHA-512:2902012E62A020A595FFA6AA648AE55F41B996BCFED4ABC2766FDD664B87347DD91934F6DC5CD08C2DC25D3DA843C4A0812733C334D5E21B25B2A1F952BDE36A
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch12\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial{\*\falt Arial};}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}Batang{\*\falt \'b9\'d9\'c5\'c1};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f20\fbidi \fswiss\fcharset129\fprq2{\*\pano

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1043\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1043\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):20128
                                                                                                                        Entropy (8bit):5.258300957443283
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:g124Y0WDDkowwX8OZjv1t6WVLeWty36q0GftpBjb:oYZ1kki5
                                                                                                                        MD5:99B9A985DBE30B044380CFAF95579F16
                                                                                                                        SHA1:E4C5CC5AAEFB534FDEE61A2BE25F7A39BB0AB1D2
                                                                                                                        SHA-256:399A838B9C61696536D4B1AB29E6765781A69D29A6CD3B20EB4A221A18B27AEF
                                                                                                                        SHA-512:754D17482A019968490A267B68909F2F6E49999E3463EE9C5482D1E3FFDCC752FE3B5B1C20D630462451109F23D11FE7C19C6ADE8CBAEF830425D96A35920A82
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........0...............................................P............@.......................................... ...,...........4...............................................................................................text...G...........................@..@.rsrc....0... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1043\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):139568
                                                                                                                        Entropy (8bit):5.039707527027802
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:d8f9gRJA8J/snalBEm0OgKXIJR10GZybh2y:f
                                                                                                                        MD5:47B9B0787AAA0074C985F8283B0A3DBE
                                                                                                                        SHA1:D9D3E387C16FB4C23E0577A79281192F0645FD2A
                                                                                                                        SHA-256:97AB3F8B49F324A07AB924D432017F2171C40AD55F6F8A8CA109505AA2F0C267
                                                                                                                        SHA-512:64251E21557EFFB58777139085122C681762C2BB84F8483F24E3493CC27DB2A5B60134FB99C25D7DBEEF6B78AC06FABE1BECB4A557B6338858CC7D73DEADBC2B
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial{\*\falt Arial};}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 0

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1044\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1044\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):18592
                                                                                                                        Entropy (8bit):5.364646476975497
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:BNeu+Oeu+Oeu+rK56qxYBlgFAcUm/nWNeW+ywq0GftpBjtO:EkxYBegm/66im
                                                                                                                        MD5:41BBE49B5A05DBD3864BBD5392717D97
                                                                                                                        SHA1:7F6301DDD82B22C18F6630EFDCD30BCA43D96C4B
                                                                                                                        SHA-256:BF5E03045473C188CFFAB21E5CDEEAA3A4A577989574AA6AB54F8F9DD5322BC5
                                                                                                                        SHA-512:527556399F42E9419711AEE162A0A3E931DFA67AD511093401274C89D823C682A347FA2B36D0FCF7E005F5449F92536933184009FCEE164597B6E9ADF60FDFAB
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........*...............................................P............@.......................................... ..x'...........................................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1044\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):169920
                                                                                                                        Entropy (8bit):5.025124256028609
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:r/ZuzrRJAezEDuiCEmYOUK/IbBRZQGZOH52h:7YS9
                                                                                                                        MD5:6E915CB5F3C61DF9E8989215B0B52A7F
                                                                                                                        SHA1:C66A59735E415A31247D251CA73D54FA2D81468D
                                                                                                                        SHA-256:24D159E031B4CF202A3DC0FE36C9BEA4042DB908CF4697FD36D94326B1291FD3
                                                                                                                        SHA-512:F4B826C3DB7B6964A4BDA5F7E3F8FB99F1F1E1A311F5ED23CA9E19AF4ACA645A8E9B4A624C9871B76490854A14DB810F1A061A38581EEE683EFBF415B8AF67A2
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1045\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1045\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19104
                                                                                                                        Entropy (8bit):5.43951060277537
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:1a1YUfwxWVxSIn+hnISv7N/blaRr2+W3eW6kLeuDBks/nGfe4pBjS7uFMG:MN2Gan9xblaRr2+W3eWr5q0GftpBjt3
                                                                                                                        MD5:E69DD78810F7BAF01937EA401B439055
                                                                                                                        SHA1:C6A07607736A2DE5223A6F5B6A206145CC7939C3
                                                                                                                        SHA-256:695C68E64DADB58C8B7DF6F521259F35B42AA0DB7C70D2ED9C54B05D81CDE753
                                                                                                                        SHA-512:F2AD1597EF31FB3A4C507BDE98F80B6832CC67DA77858C8AC7BA1CFAE2DDE0603660DB82B43DACA2A4AC46DFB7E0F62D21C256F4C6DDC648810F4783EF671F83
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........,...............................................P............@.......................................... ...(...........0...............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1045\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):164446
                                                                                                                        Entropy (8bit):5.050884337061002
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:vUv97PulMRJAwJjAXetBE1rRbe+KusGWqcJ2v:M4
                                                                                                                        MD5:18179A39C64AD36E7B4B04A77A5B7D55
                                                                                                                        SHA1:4425D4B79F2BE92EE5C585411335A68DA3EC1525
                                                                                                                        SHA-256:DB44591F40F59D2F90FFAAC4E4A6581F9999AA278948D16D14329B979D0B3F1D
                                                                                                                        SHA-512:F30C46A417E4E4463DACE9F174C052F162CD395BE76FE1D4057C0A2D8E72E7C69EC3951C0FD229D02E6A811B27ADF8719C312740B26165F3BDCD897E89D29A04
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1046\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1046\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19104
                                                                                                                        Entropy (8bit):5.364849479933463
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:A3kTnUfwVWwwZFf7TOS7LDoKGslNDGf8BnWdeWthqSya6HIp24uDBks/nGfe4pBy:A0m6QT7FprmaWdeWWaCIc3q0GftpBjH2
                                                                                                                        MD5:E1C4B585E9F46C7D1AA57A712DC6EEB4
                                                                                                                        SHA1:FE7F6E35425E27DEE0BB04B79458B3D3BFF09C44
                                                                                                                        SHA-256:370F03B2B79FF527F2D28654A34DF12AB47F998FE375CB18D94B91B1190BD413
                                                                                                                        SHA-512:CF27E605A273CB80E9DA8E13260DE6E66095A230107AF1337F6742D45B88746D3719D9D7D027BC168E7FE01886AFF545B08B2A5799950ABE0FEEF9D18BD6ACDD
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........,...............................................P............@.......................................... ...(...........0...............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1046\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):176888
                                                                                                                        Entropy (8bit):5.002262883456205
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:v0WngRJA8J/snalBEm0OgKXIJR10GZybh26:cJ
                                                                                                                        MD5:4332311006888933DADAD26E82664456
                                                                                                                        SHA1:0D5B80C0082ED983E7BE2D23F7EDB39AC42EA00D
                                                                                                                        SHA-256:1CE4F0DC96B5DF308305584F1AE22C2CE1102A9580AF80A53AAAB8EB83CA642C
                                                                                                                        SHA-512:4A1BF079E2A9AA9E36C99449FE0C5BA67F4A9370EF3804F9BD1BA236340386C0188C05E72E7C68E4461D92688DFE8841F88B7020C504B7BF66B348785E712966
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*\

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1049\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1049\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19616
                                                                                                                        Entropy (8bit):5.752719890410503
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:alBvnUfwVWBC623DV3SD1tt9WfXHT7nMI2xeWK+FI/duDBks/nGfe4pBjS7xmA:aDC6+URiD1vwLobeW1ywq0GftpBjm
                                                                                                                        MD5:0E9CB9E7DEC50310FA67F8A9B5A90FA4
                                                                                                                        SHA1:A5EBFE9ECA02A4C0A74434559D12A7BD27D72A92
                                                                                                                        SHA-256:DD409D61DA9A02B95E42CF85DB9F3BCF4D6CAE36A23D8C6B5814482E874AF5BE
                                                                                                                        SHA-512:2B45FE87ED7903A3D40CE7E4D2C65DC7AA54C065607BE79C642C35FD4EA16BDF227D8860A445F86AA2F937B12FBFF98AB3E1D3BE3132D1518F272EEF9C4A863C
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........................................................P......Tm....@.......................................... ...*...........2...............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1049\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):213599
                                                                                                                        Entropy (8bit):4.932887686592641
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:iMs8RJH7J3g7i1BE5rBvNQnKSusdZOc5Jk:e
                                                                                                                        MD5:8FA9093D854DD493FA0551E847E182C1
                                                                                                                        SHA1:B555DA4A2FC2013CFC569082F8C311BA9D640C90
                                                                                                                        SHA-256:BE7808A614C4604E1E97D37487C8F8C86E69AEDDFE2BAAA0E74BA02FCBBC3E2C
                                                                                                                        SHA-512:28EDA7235865CC68D517722915014F6616914EAB0A31120BD8E066C2AF255926A3B9E0E76CE4B5076DE8634D22F20FCF559A45B551A59E47CF07E095467279C3
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial{\*\falt Arial};}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 02

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1053\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1053\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):18592
                                                                                                                        Entropy (8bit):5.354489912379098
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:axU6qxM8IJu5M/oZVQZWpieW6ywq0GftpBj8U:aExMwLViWiZ
                                                                                                                        MD5:8031460BFBBA3A081A18A17AEB7F69E4
                                                                                                                        SHA1:EAEB6FC887106B94F825991657832286370E2888
                                                                                                                        SHA-256:E24A420811B72C08869E7420825169C791BA72E28DFF7AAE3B573BE82660DA6F
                                                                                                                        SHA-512:F43A37DC1B6D6CAC5A3C9E9B80A6EE9035C101A2BBD8F30E77C62AD7E3F82AFFB80C85BE65A2A0A94DD0F09898A34400780128EAA2BE7F3603C1E0FA0E445C6B
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........*...............................................P......7.....@.......................................... ...'...........................................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\1053\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):173097
                                                                                                                        Entropy (8bit):5.0110230942141385
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:mMbPS47EGJA7JDnbyiBTmAO3FQ31Rdz5Zq3Khj:rmP
                                                                                                                        MD5:744F01E0DCE8AB0BD7483C7862CFA95D
                                                                                                                        SHA1:33E03C297697B479604144263F39508F0F6A5317
                                                                                                                        SHA-256:2FF20E0B3E20BC5BDE56F9ACF99D4CFBCD8838F0D8A0594FC3AE4BAD0FEA98B9
                                                                                                                        SHA-512:6E42AD4083C44409C7C0102C01D9255DFC3519322D99EC41ED878A484420A02EE29DA1EFC03C9C655AF7D00EABB8873D1330F1775BE32B1C331AF26E9D01309A
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial{\*\falt Arial};}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 02

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\2052\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\2052\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):15008
                                                                                                                        Entropy (8bit):6.150172640342626
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:4sLnUfwVWtTXjuQShyjK7pWkEWYBqSya6HIp24uDBks/nGfe4pBjS7WU5P0:beCTFhMKtWkEW3aCIc3q0GftpBjHT
                                                                                                                        MD5:09139FE9213E071CCE9072068AC27716
                                                                                                                        SHA1:27F31086C8584E0BA431B946BE8A087261EC508C
                                                                                                                        SHA-256:BDAE5CB98081DBB3D02D7A6C30D9CA5E738A0570EAABE05B9F2D7DC718BB784C
                                                                                                                        SHA-512:3D2473D26A30FE3DEC427B2DB630F6D8F8685CA910408FD863F79480A1D4128ACDD07BB870AE1B8566441AEC453D494D02592833C2346AF3312E3F36A08DC538
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........................................................@......6r....@.......................................... ............... ...............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\2052\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):223296
                                                                                                                        Entropy (8bit):4.980695202984838
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:UAL9Tu+H/4HMHZ30RJAAJLcbeRBEmAZKPI5HMGZ+R2I:u+H/Te
                                                                                                                        MD5:0D0A99667BDE846F63C90A954D849708
                                                                                                                        SHA1:FC27A9922D3B9A515D35D02CC31AA0056216CD9A
                                                                                                                        SHA-256:51EB28C21CFE9BBE59946E1F6851A3E166731CF46DBC875975F2D3E696CEB2E4
                                                                                                                        SHA-512:E41789F0A7867CCD322AF613A8BB218846BF2B8A9C0B189E7C35BBE169C1B8C599D428354867480E9DFBA5B39DD9195FB10ED05D243DDA4F70E6F083699F5C83
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\3082\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\3082\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19616
                                                                                                                        Entropy (8bit):5.334559203495453
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:C5v6Lbg2zZTf1JmWOeWxfEQq0GftpBjH0:C219exFip0
                                                                                                                        MD5:42D0CE4FC0D9A9288BD23429374D5865
                                                                                                                        SHA1:1645682C7DE6E5AB8E135AEE140A8CA1CA3A4B24
                                                                                                                        SHA-256:02441B04847FF987A961C3968405E21F0A3DD5875ED51906E3A8225A2F95468D
                                                                                                                        SHA-512:AF08FC313BBF6C4DE6C59CD0DFC4E7E0D8134F6BC613D1AC77FB0093ED7E70542BA223FF621692B06271D035816639F7530BC480B20F17964C064B9923102000
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........................................................P............@.......................................... ..$*...........2...............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\3082\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):143979
                                                                                                                        Entropy (8bit):5.026613511351579
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:OdwkNE1VK8RJH7J3g7i1BE5rBvNQnKSusdZOc5Ji:RkNuVS
                                                                                                                        MD5:478460CCC7C0080975D49DDEB89FBE2B
                                                                                                                        SHA1:2DC7DF50CA95A932F5BD0D1DF3801D4A513E6936
                                                                                                                        SHA-256:7E10681551708357273FC6A9CFE40E910AB28443F77F1E801603C0B546296E7E
                                                                                                                        SHA-512:2C1AFBC12FC97252B74BAA662CF1B618A8B7BF0A66E3132F4898724FFFD7B063B7C66A98C4CE2A48BAC15855C58B5FBB9554DEAC8506FA9AD629BC48EB288CA1
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*\

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\DHtmlHeader.html

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):16118
                                                                                                                        Entropy (8bit):3.6434775915277604
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                                                                                                        MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                                                                                                        SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                                                                                                        SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                                                                                                        SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\DisplayIcon.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):88533
                                                                                                                        Entropy (8bit):7.210526848639953
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdb:e/gB4H8vo2no0/aX7C7Dct
                                                                                                                        MD5:F9657D290048E169FFABBBB9C7412BE0
                                                                                                                        SHA1:E45531D559C38825FBDE6F25A82A638184130754
                                                                                                                        SHA-256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
                                                                                                                        SHA-512:8B93E898148EB8A751BC5E4135EFB36E3AC65AF34EAAC4EA401F1236A2973F003F84B5CFD1BBEE5E43208491AA1B63C428B64E52F7591D79329B474361547268
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............(...............h...............h...f... .............. .............. ..........^...00......h....#..00..........n)..00...........8........ .h....T.. .... .....&Y..00.... ..%...i........ ._...v...(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l.............................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\Print.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1150
                                                                                                                        Entropy (8bit):4.923507556620034
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAh:MjNyw/0NW9DOp/ANC
                                                                                                                        MD5:7E55DDC6D611176E697D01C90A1212CF
                                                                                                                        SHA1:E2620DA05B8E4E2360DA579A7BE32C1B225DEB1B
                                                                                                                        SHA-256:FF542E32330B123486797B410621E19EAFB39DF3997E14701AFA4C22096520ED
                                                                                                                        SHA-512:283D381AA396820B7E15768B20099D67688DA1F6315EC9F7938C2FCC3167777502CDED0D1BEDDF015A34CC4E5D045BCB665FFD28BA2FBB6FAF50FDD38B31D16E
                                                                                                                        Malicious:false
                                                                                                                        Preview:............ .h.......(....... ..... .....@.........................................................................................t?.fR.|bN.y_K.v\H.rXD.oUA.kQ=.hN:.eK7.cI5.cI5.cI5i.........th<..z............................................cI5.cI5...................................................qXE.cI5.cI5.......~.............................................}eS.kR>.cI5......................................................q`.w^L.cI5..............................z..~n..sb..jX.{bP.t[H..~m..kY.nT@.......................................................{..wf.zaM.......vO.......................q..r`.}cQ.w]J..lZ.......t.x^J...........}Z..................................z`M........{aM...............0..............................jY.{aO...........................................................x^K.x^Kk.....................................................n\.y_L...........................r...............................y_L.x^K&.........................s.............

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\Rotate1.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.5118974066097444
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+Wvtjlpr:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5c
                                                                                                                        MD5:26A00597735C5F504CF8B3E7E9A7A4C1
                                                                                                                        SHA1:D913CB26128D5CA1E1AC3DAB782DE363C9B89934
                                                                                                                        SHA-256:37026C4EA2182D7908B3CF0CEF8A6F72BDDCA5F1CFBC702F35B569AD689CF0AF
                                                                                                                        SHA-512:08CEFC5A2B625F261668F70CC9E1536DC4878D332792C751884526E49E7FEE1ECFA6FCCFDDF7BE80910393421CC088C0FD0B0C27C7A7EFF2AE03719E06022FDF
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... .......................................................................................................................................................................................t.r........................................p.nn.l|.z..........................................g.e.......................................................................................P.N..........................................P.OG.FP.O..........................................?.>...................................................................................................+.*..........................................3.2%.$+.*..........................................!. ............{.{.............................................................................................~.~..................................G.......................................G..........

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\Rotate2.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.5178766234336925
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5c:Md5EaxWbh/Cnt4
                                                                                                                        MD5:8419CAA81F2377E09B7F2F6218E505AE
                                                                                                                        SHA1:2CF5AD8C8DA4F1A38AAB433673F4DDDC7AE380E9
                                                                                                                        SHA-256:DB89D8A45C369303C04988322B2774D2C7888DA5250B4DAB2846DEEF58A7DE22
                                                                                                                        SHA-512:74E504D2C3A8E82925110B7CFB45FDE8A4E6DF53A188E47CF22D664CBB805EBA749D2DB23456FC43A86E57C810BC3D9166E7C72468FBD736DA6A776F8CA015D1
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... ...............................................................................................................................................................................................................................................................................................................................................................................r.p..........................................q.oj.hq.o..........................................b.`...................................................................................................J.I..................|.|...y.y...............Q.PC.BF.E..........................................>.=.........".!..........................................2.1".!'.&..........................................".!.....................................G.......................................G..........

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\Rotate3.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.5189797450574103
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5c:1gxPbXlBQ+gr1ffO4
                                                                                                                        MD5:924FD539523541D42DAD43290E6C0DB5
                                                                                                                        SHA1:19A161531A2C9DBC443B0F41B97CBDE7375B8983
                                                                                                                        SHA-256:02A7FE932029C6FA24D1C7CC06D08A27E84F43A0CBC47B7C43CAC59424B3D1F6
                                                                                                                        SHA-512:86A4C5D981370EFA20183CC4A52C221467692E91539AC38C8DEF1CC200140F6F3D9412B6E62FAF08CA6668DF401D8B842C61B1F3C2A4C4570F3B2CEC79C9EE8B
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... .................................................................................................................................................................................................................................................................................................................................................................................................................z.z...{.{...........................................................................................................................................................s.q..........................................y.wl.jl.j...............3.2#."*.)..................f.d.........E.D.........(.'..............................U.TE.DF.E..........................................E.D.....................................G.......................................G..........

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\Rotate4.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.5119705312617957
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5c:p///FPwxUrMunUofRReFNHRp5c
                                                                                                                        MD5:BB55B5086A9DA3097FB216C065D15709
                                                                                                                        SHA1:1206C708BD08231961F17DA3D604A8956ADDCCFE
                                                                                                                        SHA-256:8D82FF7970C9A67DA8134686560FE3A6C986A160CED9D1CC1392F2BA75C698AB
                                                                                                                        SHA-512:DE9226064680DA6696976A4A320E08C41F73D127FBB81BF142048996DF6206DDB1C2FE347C483CC8E0E50A00DAB33DB9261D03F1CD7CA757F5CA7BB84865FCA9
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... .............................................................................................................................................................................................................y.y...|.|.............................................................................................................................................................................................................................................,.+".!,.+.........................................(.'......................................................................................=.<..........................................S.RC.BG.F.............................j.h.........H.G..............................y.wj.hi.g..........................................j.h.....................................G.......................................G..........

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\Rotate5.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.5083713071878764
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5c:pXBHehqSayIylrtBg/bk4AgzHRp5c
                                                                                                                        MD5:3B4861F93B465D724C60670B64FCCFCF
                                                                                                                        SHA1:C672D63C62E00E24FBB40DA96A0CC45B7C5EF7F0
                                                                                                                        SHA-256:7237051D9AF5DB972A1FECF0B35CD8E9021471740782B0DBF60D3801DC9F5F75
                                                                                                                        SHA-512:2E798B0C9E80F639571525F39C2F50838D5244EEDA29B18A1FAE6C15D939D5C8CD29F6785D234B54BDA843A645D1A95C7339707991A81946B51F7E8D5ED40D2C
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... .................................................................................................{.{...~.~.......................................................................................}.}.........................................................).(#."2.1..........................................).(...................................................................................................=.<..........................................N.ME.DN.M..........................................M.L.......................................................................................e.c..........................................z.xl.jm.k........................................r.p........................................................................................................................G.......................................G..........

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\Rotate6.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.5043420982993396
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5c:tZ/u+HeilBh/F+Rd4
                                                                                                                        MD5:70006BF18A39D258012875AEFB92A3D1
                                                                                                                        SHA1:B47788F3F8C5C305982EB1D0E91C675EE02C7BEB
                                                                                                                        SHA-256:19ABCEDF93D790E19FB3379CB3B46371D3CBFF48FE7E63F4FDCC2AC23A9943E4
                                                                                                                        SHA-512:97FDBDD6EFADBFB08161D8546299952470228A042BD2090CD49896BC31CCB7C73DAB8F9DE50CDAF6459F7F5C14206AF7B90016DEEB1220943D61C7324541FE2C
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... .................................................................................................... ............................................$.$ ..0./...........................{.{............ ...........<.;..........................................C.BA.@O.N...............{.{...~.~..................G.F..................................................................................................._.]..........................................n.lg.en.l..........................................p.n...............................................................................................................................................................................................................................................................................................................G.......................................G..........

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\Rotate7.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.4948009720290445
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5c:p8os0iieX8iNVHX//x2sHYdoHRp5c
                                                                                                                        MD5:FB4DFEBE83F554FAF1A5CEC033A804D9
                                                                                                                        SHA1:6C9E509A5D1D1B8D495BBC8F57387E1E7E193333
                                                                                                                        SHA-256:4F46A9896DE23A92D2B5F963BCFB3237C3E85DA05B8F7660641B3D1D5AFAAE6F
                                                                                                                        SHA-512:3CAEB21177685B9054B64DEC997371C4193458FF8607BCE67E4FBE72C4AF0E6808D344DD0D59D3D0F5CE00E4C2B8A4FFCA0F7D9352B0014B9259D76D7F03D404
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... ....................................................................................................G.F..........................................H.GG.FX.V..............................).(.........G.F.........i.g..................+.*%.$5.4...............n.ln.l{.y.................. .......................u.s............................................................................................................................................................~.~...~.~.................................................................................................................................................................................................................................................................................................................................................G.......................................G..........

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\Rotate8.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.513882730304912
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12:pPv1OuTerb53mpOBfXjQuZfKWpIXE1D6HRp5c:91OEerb53eUQsflpIP4
                                                                                                                        MD5:D1C53003264DCE4EFFAF462C807E2D96
                                                                                                                        SHA1:92562AD5876A5D0CB35E2D6736B635CB5F5A91D9
                                                                                                                        SHA-256:5FB03593071A99C7B3803FE8424520B8B548B031D02F2A86E8F5412AC519723C
                                                                                                                        SHA-512:C34F8C05A50DC0DE644D1F9D97696CDB0A1961C7C7E412EB3DF2FD57BBD34199CF802962CA6A4B5445A317D9C7875E86E8E62F6C1DF8CC3415AFC0BD26E285BD
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... ....................................................................................................g.e..........................................g.eg.ew.u..............................F.E.........g.e..............................E.DA.@P.O..........................................:.9......................................................................................&.%.........................................+.* ..+.*..................................................................................................................................................{.{.......................................................................................~.~...{.{..............................................................................................................................................G.......................................G..........

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\Save.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1150
                                                                                                                        Entropy (8bit):4.824239610266714
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:Br5ckw0Pce/WPv42lPpJ2/BatY9Y4ollEKeKzn:h6kPccWPQS2UtEYFEKeu
                                                                                                                        MD5:7D62E82D960A938C98DA02B1D5201BD5
                                                                                                                        SHA1:194E96B0440BF8631887E5E9D3CC485F8E90FBF5
                                                                                                                        SHA-256:AE041C8764F56FD89277B34982145D16FC59A4754D261C861B19371C3271C6E5
                                                                                                                        SHA-512:AB06B2605F0C1F6B71EF69563C0C977D06C6EA84D58EF7F2BAECBA566D6037D1458C2B58E6BFD70DDEF47DCCBDEA6D9C2F2E46DEA67EA9E92457F754D7042F67
                                                                                                                        Malicious:false
                                                                                                                        Preview:............ .h.......(....... ..... .....@........................................................................................klT.de..UV..RS..OP..MM..JJ..GG..DD..AA.x;<.x;<.r99.n67..........kl......D$.G2!...............VMH..>3..=6..91.r99..........op.........q[K.G<4..xh...........s..A5..B<..=5.x;<..........uv...........q[K.....G<4..........tg..KC..ID..B<.}>>..........{|.............q[K.q[K.q[K.q[K.vbR.}j[..VT..OL..ID..AA...............................yz..qr..kl..]\..VT..PL..DD.....................c`..^V..XK..R?..M4..G(..A...;...]\..VT..GG................fg.................................;...]\..JJ................mn..................................A...gg..MM................vw..................................G(..qr..OP..................................................M4..yz..RS..................................................R?.g33..UV....................................................XK..XY..XY..................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\Setup.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 12 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36710
                                                                                                                        Entropy (8bit):5.3785085024370805
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:IXcWz9GU46B4riEzg8CKcqxkk63gBh6wSphnBcI/ObMFp2rOebgcjTQcho:IMWQ2Bf8qqxMQP8pc4XessTJo
                                                                                                                        MD5:3D25D679E0FF0B8C94273DCD8B07049D
                                                                                                                        SHA1:A517FC5E96BC68A02A44093673EE7E076AD57308
                                                                                                                        SHA-256:288E9AD8F0201E45BC187839F15ACA79D6B9F76A7D3C9274C80F5D4A4C219C0F
                                                                                                                        SHA-512:3BDE668004CA7E28390862D0AE9903C756C16255BDBB3F7E73A5B093CE6A57A3165D6797B0A643B254493149231ACA7F7F03E0AF15A0CBE28AFF02F0071EC255
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............(...............h...............h...V... .............. .............. ..........N...00......h...."..00..........^)..00...........8........ .h....T.. .... ......Y..00.... ..%...i..(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l..........................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\SysReqMet.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1150
                                                                                                                        Entropy (8bit):5.038533294442847
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:MuoBP5lj49s9NRDe4LakKcTM8cv99uGzMN:MlFH3/Ri4LaN3q
                                                                                                                        MD5:661CBD315E9B23BA1CA19EDAB978F478
                                                                                                                        SHA1:605685C25D486C89F872296583E1DC2F20465A2B
                                                                                                                        SHA-256:8BFC77C6D0F27F3D0625A884E0714698ACC0094A92ADCB6DE46990735AE8F14D
                                                                                                                        SHA-512:802CC019F07FD3B78FCEFDC8404B3BEB5D17BFC31BDED90D42325A138762CC9F9EBFD1B170EC4BBCCCF9B99773BD6C8916F2C799C54B22FF6D5EDD9F388A67C6
                                                                                                                        Malicious:false
                                                                                                                        Preview:............ .h.......(....... ..... .....@..........................................M...........S...........................................q.......................z...................................;........q.c.P.K.|.}............C....................................;.!......................................................Ry,.*w..!.............-.........................................6b..8v................ .+.@............#....................4u..;a..............H.<.........=.C.............................&y..x.e.................$}......................................<.).........\.A............}..................................[.R.}.n.Z.C.y.Y.k.L............. q..............................t.s............r...k.........]{G..............................................y.`.z.h.a.N.e.P...............................................~.q._.J...............................8....................t.p..................?..................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\SysReqNotMet.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1150
                                                                                                                        Entropy (8bit):5.854644771288791
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:u2iVNINssNQhYMEyfCHWZZ7rTRrbWjcyuE:uDW871fdZ1lbWjME
                                                                                                                        MD5:EE2C05CC9D14C29F586D40EB90C610A9
                                                                                                                        SHA1:E571D82E81BD61B8FE4C9ECD08869A07918AC00B
                                                                                                                        SHA-256:3C9C71950857DDB82BAAB83ED70C496DEE8F20F3BC3216583DC1DDDA68AEFC73
                                                                                                                        SHA-512:0F38FE9C97F2518186D5147D2C4A786B352FCECA234410A94CC9D120974FC4BE873E39956E10374DA6E8E546AEA5689E7FA0BEED025687547C430E6CEFFABFFB
                                                                                                                        Malicious:false
                                                                                                                        Preview:............ .h.......(....... ..... .....@....................................../..F..........!....n....d..................................;.............,+..AB..UV..XZ...1.....S......................U.....................EE..\[..rr......NP.....^..............<s.....................!.$)..AC..jj..ww..{{..57.....4........01.................H..........N?8;..[[..ba..`_..TU....L.......bj]^..QP.........:..........)N#&..>=..GG..HI..IJ..EE..!#......24..mm..hh..,.............+N........)(..*-.....{-...-,........ SPS..zy..qr....qq......0NCE..33..%%........ZJ...."$..0/../1....?qRU............W}..)A]^..rr..qq..Y[...._z........CE..RQ..AC....8`79.........SU..ab......||..ef....ey...........QZ[..ZZ..=?.....(...d....................pr.....H............IK..jj..fg..*,..........]_..................[y.......(..:VQS..{z..ut..ab....'H...........?................||..ef..jk..................$%d....................W....................................*,n.............................HI......................WY

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\stop.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):10134
                                                                                                                        Entropy (8bit):6.016582854640062
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:uC1kqWje1S/f1AXa0w+2ZM4xD02EuZkULqcA0zjrpthQ2Ngms9+LmODclhpjdfLt:JkqAFqroMS9lD9Ngr9+m7bxpXHT5ToYR
                                                                                                                        MD5:5DFA8D3ABCF4962D9EC41CFC7C0F75E3
                                                                                                                        SHA1:4196B0878C6C66B6FA260AB765A0E79F7AEC0D24
                                                                                                                        SHA-256:B499E1B21091B539D4906E45B6FDF490D5445256B72871AECE2F5B2562C11793
                                                                                                                        SHA-512:69A13D4348384F134BA93C9A846C6760B342E3A7A2E9DF9C7062088105AC0B77B8A524F179EFB1724C0CE168E01BA8BB46F2D6FAE39CABE32CAB9A34FC293E4A
                                                                                                                        Malicious:false
                                                                                                                        Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................wwx...........w....w.........x....x.........x.y.......................p..............x.........q.......p.........q.................xy...........q.......................p.............y..................x.y..............y.y.............yyy.........S........x..........yy.............x.yyyx......................Q.8.........x..............y....qy.p...y.....x.....p........y....9.....y....yy..yx.......y..yyyw..p.....y.yyyyy................x.p........y.yy..........x...x............x.................wwx.....................?...................................................................................................?............(....... ..................................................................................................ww.....w..........xx..x........x....p........xy

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Graphics\warn.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):10134
                                                                                                                        Entropy (8bit):4.3821301214809045
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:USAk9ODMuYKFfmiMyT4dvsZQl+g8DnPUmXtDV3EgTtc:r9wM7pyEBlcgssmXpVUgJc
                                                                                                                        MD5:B2B1D79591FCA103959806A4BF27D036
                                                                                                                        SHA1:481FD13A0B58299C41B3E705CB085C533038CAF5
                                                                                                                        SHA-256:FE4D06C318701BF0842D4B87D1BAD284C553BAF7A40987A7451338099D840A11
                                                                                                                        SHA-512:5FE232415A39E0055ABB5250B120CCDCD565AB102AA602A3083D4A4705AC6775D45E1EF0C2B787B3252232E9D4673FC3A77AAB19EC79A3FF8B13C4D7094530D2
                                                                                                                        Malicious:false
                                                                                                                        Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@................................................................................................................................................................wwwww.....wwww...................3333333333338...{....3s.....x...{....0G;.............0.;...7.........33....8.....{...33..............0....7...............8.......{....;.............0.;.............0...8...........4...............wu;.............ww;.............ww;?...........;ww;.............7w................................8.............{...................................................................................................................................................................?...?..................................................?...?.........(....... ........................................................................................................333333;...............8.........;........

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\ParameterInfo.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (381), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):115286
                                                                                                                        Entropy (8bit):3.5224883484656044
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:dfz8H5uWKoeGTQGimuuYYl8+PayLqhykz0qFg2EIl:1yIl
                                                                                                                        MD5:ADAF11855C1463B8EB94C2F7BEA6B523
                                                                                                                        SHA1:F2AC6A6144AFCE683955B4831109889AD2FB1696
                                                                                                                        SHA-256:C0C342B39F7EC3F7174DF12FDFDE8D235707243C22F92367BA6C4F134522E3D2
                                                                                                                        SHA-512:3D9C8D2D6042E97DBA0C3FB2D042562DC6CF9AD6551EA5BFFC7EB2B1FD61B643CDD94FE351297DA7FF03C95AA32DC76D5684437C0F614C959B77237ED66DFDA6
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .2.0.1.0. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".1.0...0...6.0.8.2.5.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".U.s.e.r.C.o.n.t.r.o.l.l.e.d.". ./.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Setup.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):78992
                                                                                                                        Entropy (8bit):6.042115664108956
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:mXNItbBL5NWiiESy8exWZnqxMQP8ZOs0JSc:mXNAB9NWTZyVc/gBAc
                                                                                                                        MD5:DC0E68D2F5C7894259FE7B78D6336CD8
                                                                                                                        SHA1:F7E243B3B850EB3C2197127BA2CCC64847EA71E0
                                                                                                                        SHA-256:7A4AC2D2F3A3A482E1DA90B368DA1412695D3497C5C887ECE5019190BB9E1E7F
                                                                                                                        SHA-512:8733D7ED09428577DD02278DE64A7A3625B5FCE0C425CC09F73311CC16BA41ECD0CD2F1A1C42886E2F4389FE7EF6D5161174207BF290B55A5D4A59FBEE321672
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.................j.}.....].v.....h.w.....\.H...v.e.|.......B.....h.~.....Y.|.....].~.....m.~.....l.~.....k.~...Rich............PE..L...Hp.W.........."......f...........+............@..........................P...........@...... ..................pu..x...Tp..<............................@...... ................................(..@............................................text....e.......f.................. ..`.data................j..............@....rsrc................v..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\SetupEngine.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):810144
                                                                                                                        Entropy (8bit):6.362812683413623
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:8S62nlYAmRAL10LDDuNkAgkF/WZxtYa8KuKlA1Mi:8S62nlYA6rU/WZxKa8QlA1Mi
                                                                                                                        MD5:1AFB14F57AE1C831F989DB780DE809B8
                                                                                                                        SHA1:7C7CEE33AA85285B98BC62F93B2E693B4D7F956C
                                                                                                                        SHA-256:828A30D690CC3F4B8C9B7ED839FA9A567DAE6379AFB868303B7432303A2C006F
                                                                                                                        SHA-512:2E094E5DC939B399D00833C57C520F9E218885C54C77121F522DAADA37E8E0F1F2BCB510440385B75783626FACE099B6C0564C6D8A16727E799B25A2D121607B
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................&.....&......r.....Z.....o.....[.....b...........o.....^.....j.....k.....l....Rich...........PE..L...Np.W.........."!................I................................................0....@.........................0...........h....................B..........(......................................@............................................text............................... ..`.data..............................@....rsrc................n..............@..@.reloc...............x..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\SetupUi.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):296088
                                                                                                                        Entropy (8bit):6.270103067148403
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:KLTVUK59JNmC0iy4Ww8oBcPFIOrvHvr8QDZHAAKWiIHT6llN1BkvQZaiio2v5yV+:4GoMFrz8ygAKWiiINKqF3
                                                                                                                        MD5:64445C6086992AD499E98678173439AF
                                                                                                                        SHA1:3AA6FB34A2EC81033A4AAD88ADCBA5E4CB645651
                                                                                                                        SHA-256:53B0798B7FA98C295F6E92AB833DDEE86D0F73A819AB10A38576E402C5D3F378
                                                                                                                        SHA-512:4DFC67C93D7C1B9636805EDF7160A17709E5543F5580183D0FF7FB96CC831BA34F0CAF292CDF2E619CDDE23892A40D3D9FB3AC25F466D42C70184BD7C9425452
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..bI...I..WI...I..cI..I..ZI...I...IG..I..WI...I..fI...I..RI...I..SI...I..TI...IRich...I................PE..L...Hp.W.........."!.................................................................b....@..........................................P...............j.......`..0?..................................`z..@............................................text............................... ..`.data....Q.......4..................@....rsrc........P......................@..@.reloc...T...`...V..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\SetupUi.xsd

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):30120
                                                                                                                        Entropy (8bit):4.990211039591874
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMC:1wchT+cxcDm
                                                                                                                        MD5:2FADD9E618EFF8175F2A6E8B95C0CACC
                                                                                                                        SHA1:9AB1710A217D15B192188B19467932D947B0A4F8
                                                                                                                        SHA-256:222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
                                                                                                                        SHA-512:A3A934A8572FF9208D38CF381649BD83DE227C44B735489FD2A9DC5A636EAD9BB62459C9460EE53F61F0587A494877CD3A3C2611997BE563F3137F8236FFC4CA
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns="http://schemas.microsoft.com/SetupUI/2008/01/imui".. xmlns:imui="http://schemas.microsoft.com/SetupUI/2008/01/imui".. targetNamespace="http://schemas.microsoft.com/SetupUI/2008/01/imui".. elementFormDefault="qualified"..attributeFormDefault="unqualified"..>.... <xs:annotation>.. <xs:documentation>.. Copyright (c) Microsoft Corporation. All rights reserved... Schema for describing DevDiv "Setup UI Info".. </xs:documentation>.. </xs:annotation>.... <xs:element name="SetupUI">.. <xs:annotation>.. <xs:documentation>specifies UI dll, and lists of MSIs MSPs and EXEs</xs:documentation>.. </xs:annotation>.. <xs:complexType>.. <xs:sequence>.. <xs:choice>.. <xs:element ref="UI" minOccurs="1" maxOccurs="1"></xs:element>.. <xs:element ref="Strings" minOccurs="1" maxOccurs="1"></xs:element>..

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\SplashScreen.bmp

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PC bitmap, Windows 3.x format, 200 x 200 x 8, image size 40000, resolution 3779 x 3779 px/m, cbSize 41078, bits offset 1078
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):41078
                                                                                                                        Entropy (8bit):0.3169962482036715
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:SgrNa0EfB4elU+jB+rQXJH4+Cs77hIfVHCv4ToqIzgPc8wcKHL+3:3pa0e4YjB5vAHk4E7zgPcDc53
                                                                                                                        MD5:43B254D97B4FB6F9974AD3F935762C55
                                                                                                                        SHA1:F94D150C94064893DAED0E5BBD348998CA9D4E62
                                                                                                                        SHA-256:91A21EBA9F5E1674919EE3B36EFA99714CFB919491423D888CB56C0F25845969
                                                                                                                        SHA-512:46527C88F0AED25D89833B9BE280F5E25FFCEAE6BC0653054C8B6D8EBE34EBA58818A0A02A72BD29279310186AC26D522BBF34191FBDE279A269FC9DA5840ACC
                                                                                                                        Malicious:false
                                                                                                                        Preview:BMv.......6...(...................@.......................{7...>...h?..D...N...K..........xE..._#..q..T...X...Q...[..._...c...j....>.!....f...v...r...."..v....0....... ..........4..I.........[...}..............j.............................................................................................................i......................@>1.......................................................o...u...u...z...z...~............................................................................................................................................................................{...~.................................................................................................................yw`......................................................................................................................................................//'...........................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\Strings.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):14246
                                                                                                                        Entropy (8bit):3.70170676934679
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:VAZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+F:VAB
                                                                                                                        MD5:332ADF643747297B9BFA9527EAEFE084
                                                                                                                        SHA1:670F933D778ECA39938A515A39106551185205E9
                                                                                                                        SHA-256:E49545FEEAE22198728AD04236E31E02035AF7CC4D68E10CBECFFD08669CBECA
                                                                                                                        SHA-512:BEA95CE35C4C37B4B2E36CC1E81FC297CC4A8E17B93F10423A02B015DDB593064541B5EB7003560FBEEE512ED52869A113A6FB439C1133AF01F884A0DB0344B0
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". ..... . . . . . . . . .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.S.t.r.i.n.g.s.>..... . . . .<.!.-.-. .R.e.f.l.e.c.t.i.v.e. .p.r.o.p.e.r.t.y. .p.a.g.e. .-.-.>..... . . . .<.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>.#.(.l.o.c...i.d.s._.c.a.p.t.i.o.n._.f.o.r.m.a.t._.1.s.).<./.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>..... . . . .<.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>.#.(.l.o.c...i.d.s._.i.s._.r.e.a.l.l.y._.c.a.n.c.e.l.).<./.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>......... . . . .<.!.-.-. .S.y.s.t.e.m. .R.e.q.u.i.r.e.m.e.n.t.s. .p.a.g.e. .-.-.>..... . . . .<.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.P.A.C.E.>.#.(.l.o.c...s.y.s.r.e.q.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\UiInfo.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36342
                                                                                                                        Entropy (8bit):3.0937266645670003
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:S4UR0d5v0SguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcOdOjT5fuPkfuS:S4UR0d5v0QYQLIN/6Fmhvk71sO0Nep3q
                                                                                                                        MD5:812F8D2E53F076366FA3A214BB4CF558
                                                                                                                        SHA1:35AE734CFB99BB139906B5F4E8EFBF950762F6F0
                                                                                                                        SHA-256:0D36A884A8381778BEA71F5F9F0FC60CACADEBD3F814679CB13414B8E7DBC283
                                                                                                                        SHA-512:1DCC3EF8C390CA49FBCD50C02ACCD8CC5700DB3594428E2129F79FEB81E4CBBEEF1B4A10628B2CD66EDF31A69ED39CA2F4E252AD8AA13D2F793FCA5B9A1EAF23
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.R.e.g.K.e.y.>..... . . . . . . . .<.R.e.g.V.a.l.u.e.N.a.m.e.>.U.I.L.a.n.g.u.a.g.e._.f.a.k.e.<./.R.e.g.V.a.l.u.e.N.a.m.e.>..... . . . . . .<./.L.C.I.D.H.i.n.t.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . .

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\VC_Red_x64\msp_kb2565063.msp

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x64 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219., Create Time/Date: Wed Jun 29 03:00:42 2011, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 4, Template: x64;0, Last Saved By: x64;0, Revision Number: {1D8E6291-B0D5-35EC-8441-6616F567A0F7}10.0.40219;{1D8E6291-B0D5-35EC-8441-6616F567A0F7}10.0.40219;{5B75F761-BAC8-33BC-A381-464DDDD813A3}, Number of Pages: 200, Number of Characters: 153223199
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4637184
                                                                                                                        Entropy (8bit):7.994962048491895
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:98304:v03YogTE/3ftYrhhHk6K3N04fREXLNaxCSVMZhQ1f:ZgGhRk6KdNfS6vuo1f
                                                                                                                        MD5:905FCC526204DDF1E6650212ABC3D848
                                                                                                                        SHA1:ADED77F45B75D796CC4795263C826C822DF5F0D9
                                                                                                                        SHA-256:4CD45CF57644D49B4C8F96E4A0EFDC46A5BA196FA4F5A10190F790CCC74BB1BF
                                                                                                                        SHA-512:9470FCD540EA542936120782AA31ABECAF5D20CADD13FF82AD346F78F95020958937BEB2BFCF5EA4DE92C978338F5A324E334229C79F8166C66A1465E191BA47
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...................G................................................................................................................................................................................................................................................................................................ ... ...!...!..."..."...#..............................................................................................................................................................$#..L#.................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\VC_Red_x64\vc_red.cab

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Microsoft Cabinet archive data, 4872031 bytes, 19 files, at 0x44 +A "F_CENTRAL_atl100_x64" +A "F_CENTRAL_mfc100_x64", flags 0x4, number 1, extra bytes 20 in head, 444 datablocks, 0x1503 compression
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4877975
                                                                                                                        Entropy (8bit):7.9998740597269355
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:98304:kQ9QwhEDvkC7OSEEA8cWnjlaVjhx05JXW0UE2pSh1b38M:k7wWDvkGRFRrjla/a5JXD2grbMM
                                                                                                                        MD5:C2B6838431748D42E247C574A191B2C2
                                                                                                                        SHA1:F01C1A083C158D9470DA3919B461938560E90874
                                                                                                                        SHA-256:387E94A26165E4E5F035D89F9C6589A8A9D223978ABBCC728B4C45C0115267A6
                                                                                                                        SHA-512:5CF95C3CBE10A75360BC4D02840E196C919BCD2FD42BA86192D25D781D00E8019217A9C8829F51A2924D8C95BD48E06728A3530E3344000CAC79C4B0E7FAFF91
                                                                                                                        Malicious:false
                                                                                                                        Preview:MSCF...._WJ.....D..........................._WJ.8...........[.......Hk........S>|. .F_CENTRAL_atl100_x64.H.U.Hk....S>|. .F_CENTRAL_mfc100_x64.P....zW...S>|. .F_CENTRAL_mfc100chs_x64.P.....X...S>|. .F_CENTRAL_mfc100cht_x64.P...0.X...S>|. .F_CENTRAL_mfc100deu_x64.P.....Y...S>|. .F_CENTRAL_mfc100enu_x64.P....gZ...S>|. .F_CENTRAL_mfc100esn_x64.P... a[...S>|. .F_CENTRAL_mfc100fra_x64.P...p\\...S>|. .F_CENTRAL_mfc100ita_x64.P....O]...S>|. .F_CENTRAL_mfc100jpn_x64.P.....]...S>|. .F_CENTRAL_mfc100kor_x64.P...`.^...S>|. .F_CENTRAL_mfc100rus_x64.PyU..._...S>|. .F_CENTRAL_mfc100u_x64.Pk........S>|. .F_CENTRAL_mfcm100_x64.Pk..Pv....S>|. .F_CENTRAL_mfcm100u_x64.PG.......S>|. .F_CENTRAL_msvcp100_x64.P....(....S>.. .F_CENTRAL_msvcr100_x64.P...@.....S>|. .F_CENTRAL_vcomp100_x64.P.........S>|. .FL_msdia71_dll_2_60035_amd64_ln.3643236F_FC70_11D3_A536_0090278A1BB8.0d,2F=..[......w...d.5..o.{{{k.V..R.UZ.1.....z..1..Q.4+!.+TZ.ym..Nwwp.;..~.5..B..kE:..9y...iu.K..d..L....{....l....3..;...c.sf.9gw.<..P|U

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\VC_Red_x64\vc_red.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x64 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219., Template: x64;0, Revision Number: {80902F2D-E1EF-43CA-B366-74496197E004}, Create Time/Date: Sun Feb 20 06:51:54 2011, Last Saved Time/Date: Sun Feb 20 06:51:54 2011, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 2, Number of Words: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):177664
                                                                                                                        Entropy (8bit):6.308605018559318
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:dOTekSoT5jr0BDKE6wIZzx3U9oTCR7XxA5SNmjWVcqelSxbfU75B79o:MT9SoT5+DzE3Ere5Yi
                                                                                                                        MD5:8F21BC0DC9E66F8E9D94197AE76698B3
                                                                                                                        SHA1:B48A08FDE80F739657B819B94602F861F3FF57A4
                                                                                                                        SHA-256:5763364634BDB2097B6DF6CDE79AC5CCE6069ACECF27254C589E3CABFFE53C2B
                                                                                                                        SHA-512:88FD8870BC0F5DBDD2CB4A6A97CF4B1AB81D7FF77C2B2A4D1F6B34A730D0347A5022ECC8CA5B2E7C5F7C2CBE0486D5046CFAFCB8167E001E1AC5E1797D03278A
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\VC_Red_x86\msp_kb2565063.msp

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Create Time/Date: Wed Jun 29 03:19:52 2011, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 4, Template: Intel;0, Last Saved By: Intel;0, Revision Number: {F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{1F4F1D2A-D9DA-32CF-9909-48485DA06DD5}, Number of Pages: 200, Number of Characters: 153223199
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4028928
                                                                                                                        Entropy (8bit):7.99425811627881
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:98304:lEpd3qZ0G3garI8w8xhB2TU01SHMMV6ZArX:KaZtC8vBy10M4
                                                                                                                        MD5:9843DC93EA948CDDC1F480E53BB80C2F
                                                                                                                        SHA1:D6EC9DB8B8802EC85DD0B793565401B67AD8E5E0
                                                                                                                        SHA-256:7C969FCDA6EF09D2EB7BBBC8D81795EB60C9C69ED835FD16538369AD0A6E0F10
                                                                                                                        SHA-512:79008CFDD8AE1EA27675588E7BA8123D08CE14047E5F167B3B5F6FBCDADEB45515BD72E18E59ABF632ECBFBB42243FBCBEBE4CBE0ED6BA195D0B2CA6D88676F9
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...................>............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\VC_Red_x86\vc_red.cab

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Microsoft Cabinet archive data, 4218761 bytes, 19 files, at 0x44 +A "F_CENTRAL_atl100_x86" +A "F_CENTRAL_mfc100_x86", flags 0x4, number 1, extra bytes 20 in head, 357 datablocks, 0x1503 compression
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4224705
                                                                                                                        Entropy (8bit):7.999824074209114
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:98304:buCaO1KF/Zn4LkYytTHmuzfgnKZ9zWs2wU2Td:buCf1KF/94Lk9TPzf9Os2wU25
                                                                                                                        MD5:C580A38F1A1A7D838076A1B897C37011
                                                                                                                        SHA1:C689488077D1C21820797707078AF826EA676B70
                                                                                                                        SHA-256:71C0ACC75EECDF39051819DC7C26503583F6BE6C43AB2C320853DE15BECE9978
                                                                                                                        SHA-512:EA3A62BD312F1DDEEBE5E3C7911EB3A73BC3EE184ABB7E9B55BC962214F50BBF05D2499CAF151D0BD00735E2021FBEA9584BF3E868A1D4502B75EC3B62C7FF56
                                                                                                                        Malicious:false
                                                                                                                        Preview:MSCF....._@.....D............................_@.8...........Y...e...H.........S>f. .F_CENTRAL_atl100_x86.H.C.H.....S>f. .F_CENTRAL_mfc100_x86.P....4E...S>f. .F_CENTRAL_mfc100chs_x86.P.....E...S>f. .F_CENTRAL_mfc100cht_x86.P...0OF...S>f. .F_CENTRAL_mfc100deu_x86.P....JG...S>f. .F_CENTRAL_mfc100enu_x86.P....!H...S>f. .F_CENTRAL_mfc100esn_x86.P... .I...S>f. .F_CENTRAL_mfc100fra_x86.P...p.J...S>f. .F_CENTRAL_mfc100ita_x86.P.....K...S>f. .F_CENTRAL_mfc100jpn_x86.P.....K...S>f. .F_CENTRAL_mfc100kor_x86.P...`^L...S>f. .F_CENTRAL_mfc100rus_x86.P}C..KM...S>f. .F_CENTRAL_mfc100u_x86.P?.......S>f. .F_CENTRAL_mfcm100_x86.P?..P.....S>f. .F_CENTRAL_mfcm100u_x86.Pm...G....S>f. .F_CENTRAL_msvcp100_x86.P.......S>.. .F_CENTRAL_msvcr100_x86.P...@.....S>f. .F_CENTRAL_vcomp100_x86.P3...K....S>f. .FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8..^b..:..[......+.."SP$......W..de`e. .(.$.gV...2..X.A....*..y....v..a.....v......+.A.Q...k....,.<..`f..F........4.]..l.|wq..\..\../.[.=Y..nG.

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\VC_Red_x86\vc_red.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Template: Intel;0, Revision Number: {461C455E-DA40-49B3-871B-14308CC7CEFF}, Create Time/Date: Sun Feb 20 07:03:10 2011, Last Saved Time/Date: Sun Feb 20 07:03:10 2011, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 2, Number of Words: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):163840
                                                                                                                        Entropy (8bit):6.375644516596573
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:0oTMYRradauoCcJg95gTdmmYdwYNRTK0+E4mN2E2275V495u:7RWd1odm4mmYdwT1
                                                                                                                        MD5:3FF9ACEA77AFC124BE8454269BB7143F
                                                                                                                        SHA1:8DD6ECAB8576245CD6C8617C24E019325A3B2BDC
                                                                                                                        SHA-256:9ECF3980B29C6AA20067F9F45C64B45AD310A3D83606CD9667895AD35F106E66
                                                                                                                        SHA-512:8D51F692747CFDD59FC839918A34D2B6CBBB510C90DEA83BA936B3F5F39EE4CBD48F6BB7E35ED9E0945BF724D682812532191D91C8F3C2ADB6FF80A8DF89FF7A
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\header.bmp

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PC bitmap, Windows 3.x format, 49 x 49 x 24, image size 7254, resolution 2834 x 2834 px/m, cbSize 7308, bits offset 54
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):7308
                                                                                                                        Entropy (8bit):3.7864255453272464
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:9L9GXidTgX2bqxIS0SRosEYYgJSIf4pKTg7pDdEAeObh8EWu:R/Y2bq10Q/EY1sK8M4bb
                                                                                                                        MD5:3AD1A8C3B96993BCDF45244BE2C00EEF
                                                                                                                        SHA1:308F98E199F74A43D325115A8E7072D5F2C6202D
                                                                                                                        SHA-256:133B86A4F1C67A159167489FDAEAB765BFA1050C23A7AE6D5C517188FB45F94A
                                                                                                                        SHA-512:133442C4A65269F817675ADF01ADCF622E509AA7EC7583BCA8CD9A7EB6018D2AAB56066054F75657038EFB947CD3B3E5DC4FE7F0863C8B3B1770A8FA4FE2E658
                                                                                                                        Malicious:false
                                                                                                                        Preview:BM........6...(...1...1...........V.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\sqmapi.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):144416
                                                                                                                        Entropy (8bit):6.7404750879679485
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:uochw/MFWrJjKOMxRSepuBaqn/NlnBh2Lx0JVzx1wWobn1ek8F7HncO5hK9YSHlN:zDFB47UhXBh2yJ5HcOSSSHZqG
                                                                                                                        MD5:3F0363B40376047EFF6A9B97D633B750
                                                                                                                        SHA1:4EAF6650ECA5CE931EE771181B04263C536A948B
                                                                                                                        SHA-256:BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
                                                                                                                        SHA-512:537BE86E2F171E0B2B9F462AC7F62C4342BEB5D00B68451228F28677D26A525014758672466AD15ED1FD073BE38142DAE478DF67718908EAE9E6266359E1F9E8
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................................Rich...................PE..L....IE...........!.........$.....................l.........................@......R.....@.........................D.......$...d....................... (... ......P...8............................\..@.......t.......D............................text............................... ..`.data...............................@....rsrc...............................@..@.reloc....... ......................@..Ba.IE8....IEC....IEP....IEZ.....IEe....IEP...........msvcrt.dll.ADVAPI32.dll.ntdll.DLL.USER32.dll.KERNEL32.dll...............................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_ara.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):552656
                                                                                                                        Entropy (8bit):7.957712058604565
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:A6s5a6l5FpmZUxHEsAfa7i84OV6d4n84UorGv4xMk/qmExCIK8U3Xxjj:Q5L5eUxHFAfGIOFn8MM413ExCIKZ
                                                                                                                        MD5:2A74E9D49C692C1E38D8568AEC7661F4
                                                                                                                        SHA1:504CDBB39E2D9756EDB4388AD343FE0DB8F8E7EF
                                                                                                                        SHA-256:FDFC5E67CCEFAB3854FF00CF3CFEFC1BD0B146FBE83014FCF497D7D54873D659
                                                                                                                        SHA-512:5E9FF38A6552B2A83A915890C90AB9E0AA10AFEA31D3D13A312BE52B748A5139FCE62E1EA52D0F1093D27A5923D7A20F27933811A3C951F99F7CFD9694A5538D
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ......<............ .......................................!...........0...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_chs.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):542416
                                                                                                                        Entropy (8bit):7.956324892792095
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:M6sQHHhG5Sk0sNWHefXjaqKpD0QoQUJANEjyIecrBccfI:ML5Sk0+WkXjaJRoQUJANEDeyBHw
                                                                                                                        MD5:7C509A4D66CD28D0640767ADD08E7331
                                                                                                                        SHA1:964AB3DA4848A587D4A88FB88874DCA462A3E6F0
                                                                                                                        SHA-256:6F83EB5364E5C5E08BB3ED7BBB5D7E3150B32B422D159BE00EE81D8171D6F75B
                                                                                                                        SHA-512:EEFEBA02941969A34DF481FF5DB87E7DEA4AC61F2178966D608108F281A1062738BF4A95CFAE4E95C3634F82684E2046C22A7DFEE2A832E052EE963EDFE76ADA
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................".......c... ........... ...............................A........... ......................................,................>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...,........|..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_cht.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):537808
                                                                                                                        Entropy (8bit):7.956956038879224
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:F6sZT8Jp+4NGUkL9FST9QVI9VmTd/621PxnvR6:PYpxNjE9FST6VI9VmTB7PVvR6
                                                                                                                        MD5:91289959763F54D22B2F07B80CAE3C1F
                                                                                                                        SHA1:678E72A565CA1924B5972510D4EE6A66B7F62A88
                                                                                                                        SHA-256:F7E5AD747BC7E513DEF8C94803475E539CCB9BD11F6424BE9FFB8FA7AB840CCF
                                                                                                                        SHA-512:4B1C7CE49001EA29757799DAB67AB4299F8CBDB6781FC8E254DE7884D82D644F325B2DB08A209C64A9A93A2A07D0DF0237E4365108303B4F91B713E2BB9813F3
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................".......c... ........... ........................................... ......................................D................>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...D........j..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_dan.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):544968
                                                                                                                        Entropy (8bit):7.95501225671662
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:E6sfWwCyk1HWmpq2ocp6DLqteuz0jTgpkZdsFtjJSKZogxmup:U+nykwZUZwOJSUxmup
                                                                                                                        MD5:D921529CB37FD9EF6A645337F1E80DDB
                                                                                                                        SHA1:BF61199A20491FB6946667A14B61F658026A5149
                                                                                                                        SHA-256:85E97A4A086AD685508BB0E39395FE7FAFD90D768601DB13DD0A5AC50B4C4FFC
                                                                                                                        SHA-512:B1FB1E02DCCCB5CE017A5626EA4E88053D137A3CD148B0C26544BB0AAFDDA2FDB712B896097305A5881569CA3F288883A56D021C1CAEF96CDCAA8815A3743264
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ......$............ .......................................!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_deu.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):545992
                                                                                                                        Entropy (8bit):7.954002721782527
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:A6sML5n6qYDHI5LzbkTMyj6aU5RSXd99xbHOHtONtx:QMLt6q2HmjkTL2/Q999
                                                                                                                        MD5:0C17BE44FAFC0C7DB685EB6BD30B776B
                                                                                                                        SHA1:66E3EE1B75CC5CE92A8BFDB01AFE7DBBDA39C736
                                                                                                                        SHA-256:BD89BED2769A353E7F15B48211E31E596DFCD6F69AA85E901F11FA739CBB7CA0
                                                                                                                        SHA-512:ACDD3D65BB8620B5F151B5188D767B0404D43E8C4BD6D0C2B2A52F8A60A65D85C56CF96965A5575C21F7D68BA544EDC3721C4B11398C7C3F47BF4F0406F66F8C
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ................... ......................................."...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_esn.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):543440
                                                                                                                        Entropy (8bit):7.95427769522981
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:56sMpR2Idf2FfaF194TPHHOuILsjRYzF/IMb1:TGR9hyaOPFUwk
                                                                                                                        MD5:CB4E1C500E25FFBFF91D0FB3BBC53E95
                                                                                                                        SHA1:CA5B8232D5D01F01422B9825A00A0B52C8A0E5AD
                                                                                                                        SHA-256:FDD5361642BD460C782670E56E192090559C26B97962168329CB369E6940A99C
                                                                                                                        SHA-512:9DEC3E45689163E04FBB3F7C60267143BAAB3F57C973F24D9AD45A61073C65F437179BB68ABB1608D1A8FFF88AC8124FCD49D04AF4D1E9A27AC356653846C17B
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ......+............ .......................................!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_fin.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):547528
                                                                                                                        Entropy (8bit):7.955068805775775
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:U6sKfb8WkF9Q2naJCpdVpZplHkbBrcbim6liJ0hlM:kKfQzMY6FrcuZH0
                                                                                                                        MD5:B1608C97F0954EA7AA7B37FD586FC362
                                                                                                                        SHA1:4E47D9AADEC853950F93578EF67E446B40451C52
                                                                                                                        SHA-256:7504D074227A2EB0414D4FC3EAC26FF93A93004542ABA1792979A2D2A33DF226
                                                                                                                        SHA-512:B6474E1E22E35FC3790232D37D52B9CA2D7A2FCBD1E9C6085B1DA95E9F287DF00D291F0E159B0A882B3A1CCD308FBC49395010D13A5997110B25C5305FAB722A
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ......C............ ......................................."...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_fra.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):541384
                                                                                                                        Entropy (8bit):7.952415718755693
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:J6sInVOkUPySgbiALGgWbY+EM/3sd7eK//zWSbs1Tjx:jMAkiQnM/3S7p/ZQvx
                                                                                                                        MD5:DE117125977DB80DBA1886629AEF0E35
                                                                                                                        SHA1:E049D4468CCF06B31D35FE568EFDA3C7413CCD61
                                                                                                                        SHA-256:6D189B18D634469FCDE79CAED6B1A30E16CBBEDF7622B247E19D95D0220C973D
                                                                                                                        SHA-512:89EAFE9C21248B1502479A1CD76F679CB396EDCED82DB683EB9FC7B57AE1CE944C58ADC6E54C8C4CDE06216F5C7A08212C928115DE3133112743FC66AC58E16F
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ......9:........... ......................................."...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....".......x..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_heb.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):547528
                                                                                                                        Entropy (8bit):7.957960052771031
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:T6sxA1wk8gl/MU5BB8xn1tnkfmkI3Ys00hiOKOLglFl+fgk:hxA140PjB8xjnkfdI3Y0UOKOyHVk
                                                                                                                        MD5:9F469DF842B33CEAF894DEFA22CB6A15
                                                                                                                        SHA1:99F11CEAFB38711DF3D140EB6EDD11D94CA6AA3D
                                                                                                                        SHA-256:7D5609254E8F0733592E9E7FD2A2F068F2AF65DA17ED4FC342771182A47AB5A3
                                                                                                                        SHA-512:A32F8C7D94EF4712F2DEEB9B5369B14922EFF8770087E027D4645C3D31BD3C06F7F8FB736D6C82B6870CC146F1899A07C625C4B095B212D0FBF8802B73157C56
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ................... .......................................!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_ita.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):543944
                                                                                                                        Entropy (8bit):7.953439583107411
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:46sHZsnwNvVdjosxgO+oF4y/xkPpI4VEBCyMQelw4DITDP3zWB:Y5swNvbjJKVyu7VpQA/sDr0
                                                                                                                        MD5:8AE7F77A415C45D712BFF150562D6976
                                                                                                                        SHA1:E2579A7CC52CA9F0FF2E77BA762EC1FCE471EF69
                                                                                                                        SHA-256:5B06E7B690C0D0F77E0665135006C1BDDEC5B9BA0DBE88F3F20272AA8238421F
                                                                                                                        SHA-512:5BBBA734B8844554BF2CA28FB649886F15BC0D5D8CFB7CD8B6A80BB3D31CF91B3A1F611FFD1EBD88B8B1A64EB24EC2B8587112C3C105AD2B17109396CF365847
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ......$............ ......................................,"...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...,"..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_jpn.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):543440
                                                                                                                        Entropy (8bit):7.956008314189626
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:f6s9wxGMdr/29VLZJ8TBsOSaOW4NAZdOd1tsE6kbT9cpouxcP:N92dr/O/J8T6G/Zdqe6Xu
                                                                                                                        MD5:A0397A280D88C1F2FF0608C3FE2C4817
                                                                                                                        SHA1:3E4004587BE3DB0C4ACBB936D31DE0225FBD0045
                                                                                                                        SHA-256:16A3B378BC4A37CEDAE969D1AE7ADEB35F6A6042AAA64B915F1B7084F7F61A22
                                                                                                                        SHA-512:00557071461CE15F5F89B060C18C217C6B8E69AB9C77B3564C2B0329A418F3C6B58AA01A05A6499EF2AAF4BC696E2A02D5683D8C4951326012DF2DE3E09385EA
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ......8............ ......................................$ ...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...$ ..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_kor.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):535752
                                                                                                                        Entropy (8bit):7.954747666710715
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:Q6swmEaMhKSTnH9KbUShSonzTSPiKc9mZct2tdlK:g6KAH4vSYiP1c4C2tdlK
                                                                                                                        MD5:D70C9E78AAE2F295EDF03EB310E8EAF9
                                                                                                                        SHA1:F1841C135BFB0F7E5E16EB8EF4BB7AECF72B9B22
                                                                                                                        SHA-256:59CE9D917EB89E2CBC3D4A66F0555A317E300CC53529B4DC7954B52897A9BD97
                                                                                                                        SHA-512:4969952515A25E4674692ED26D22064C76FCB94E3505B60A92D9E62FECF3571A1DE2F6FE65D01490782E278664E3D54C07543FB97FFDF863DA13DF2990ACF3DF
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................".......c... ........... ........................................... .......................................................>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc............b..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_nld.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):548552
                                                                                                                        Entropy (8bit):7.953971612012602
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:56sNXnC9Oi4RVqM7ZYIB+XAWHAq38FCB/G+BLRUk1:TVC9mHQXAWHsF+/GmUm
                                                                                                                        MD5:BA6BB2DCC110CF970D2D28FB3156CA19
                                                                                                                        SHA1:0411CE7833AA6BB38B106CB4D6663DDE4E723093
                                                                                                                        SHA-256:9093B6C87A93E4B90F7B252612A0F2E51E284259432EED78CA684AA10ACB597A
                                                                                                                        SHA-512:36B78B2165686E4FB9B2E30F5ED2BE9DF47A72592CCFEC3A11130AB4D1144454192D842E6E3567C4971180D06165AA2F5A4EFDBDFC146D735542DBD135AD6BA4
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ................... ......................................<"........... ...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...<"..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_nor.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):547536
                                                                                                                        Entropy (8bit):7.954321629911462
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:56sg5fQsFPQqhCaOR0ou/4/pQGY4UnP16gYstrdjXU:TyVPJ4Gx/Q9UnPoNsH
                                                                                                                        MD5:0AED902207AB1A31F9FF8427000826BB
                                                                                                                        SHA1:F8066CDA2953139454B2B3922C99AAA0F6D40014
                                                                                                                        SHA-256:824015825A5862A4845253D3B52E64D7A9D5C066FA383E43B96973EE9C17CE65
                                                                                                                        SHA-512:708C1BAFB9773E82EE0F322D773AAF47B423E04A5C78A276F54BDAE0BC492C7E4FB24F136FC485157308952F0E2573627240F992676D69284290A74CE801D54F
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ................... ......................................<!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...<!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_plk.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):548040
                                                                                                                        Entropy (8bit):7.954539224370836
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:n6sJmW8aM28X0TPy5NM321sAX8r6r8QlvvQ+YtaEhK6j+vakZ9Ho:FJmsgX6yHMGirH8o+VO3d4Ho
                                                                                                                        MD5:893ABE235568F1F8E9B6D89691923152
                                                                                                                        SHA1:557A1E2BD06FC04CB7AE4D0C958A0B4F7D9AC7D6
                                                                                                                        SHA-256:086BDC3119E7AFBB6E18AA23A004E3CA4FB347E9F7CDE53B8D5D35FD39670A02
                                                                                                                        SHA-512:A6E8152529D0AA386C3213BE425662DC92F21CF501FE9CEB377904E5337AD74E1B654A54A5A7F35571C26509A245B69727D59192A98CBBA13B9494DB1B53275D
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... .......@........... ......................................."...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_ptb.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):548552
                                                                                                                        Entropy (8bit):7.953245146427829
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:r6sHfdKXyqPk4D8AKbNKUndTPkrYAMux7LotlqBZ:p/1q7DnKb7ndPCdds3U
                                                                                                                        MD5:BCF180643CC268F88B24EDBADE995309
                                                                                                                        SHA1:7F506EA7C69AFFDB52A1CA5CEF8E4AA918A86C42
                                                                                                                        SHA-256:388C83017A001AA799EC63C7D564A272CD33FBE680594045D2364E655E05A239
                                                                                                                        SHA-512:C768C0A726B01D890AE7E51F0DB222B11D08F0814FFFC8F414DCC914160388726E75869D306C44EF73A8B7908094A1132C44B6C7B90FC61D0B6CA3558790A960
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... .......Z........... ......................................,"........... ...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...,"..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_rus.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):555208
                                                                                                                        Entropy (8bit):7.958140730271209
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:/6sSneDRrgmgunCMA+Na8fkO+ZcLSWn4aQzX4Dvl7x:tSniTNA+88i4S84aQzX4Dvld
                                                                                                                        MD5:691412D66A8356AF4D4DA120E8765F49
                                                                                                                        SHA1:DF4AFD221A9ECEA239D9CF669155769E7201EE9C
                                                                                                                        SHA-256:23D4D2BC0A717BA9FCBC628C13A62C43D80DF471D6D0542B8A42B9F143105729
                                                                                                                        SHA-512:E185C5BBFBD9423017BB60DE72685204D89AD740B31C9652998324973A392FA2715F67AC557E68C3D7239D812AD1EDE43F2CFD6315D4CF3B0C7CF1E2350620BD
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ................... .......................................!...........:...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x64_sve.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):544456
                                                                                                                        Entropy (8bit):7.954856341939202
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:F6sEZgy5FYmu71MBGlxr9lEVULUU+jD+lw7U:P6g2mmEMwTrsU4xQuU
                                                                                                                        MD5:CBB354ED8180BFB6EE1634DDED43AA53
                                                                                                                        SHA1:85F8AB37667650AF357C39D31461643F0487C2E0
                                                                                                                        SHA-256:D2D6560E7C3E86E2C82859B7323078457461D209B970A768B343AE0E563BDE8A
                                                                                                                        SHA-512:6812AC31E3546942EBEA3F8FFAA46C6773F9CFBFF88AD13950AE7EA2729946AC064228F69D4BB9AF837060CE06AF348C67D7919C0635E254B6ECA8D2389F0ADD
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... .......v........... .......................................!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_ara.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):491208
                                                                                                                        Entropy (8bit):7.9480726046159615
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:86srGzLpuU8ZT9yY+D5zfWdLbVyfP/iP8SxqbT5ciqW5:84kUUsY+Nz+bca8SeT5cDM
                                                                                                                        MD5:AEFCDC5FAECBB279DB3B0B83DF733C54
                                                                                                                        SHA1:A2FB4AD44BC67CAC2296B6E224BD2DD708F79A89
                                                                                                                        SHA-256:FBF2EDE54170A44C137A83E3826E4CC90387362E1DD3026A7BEBB68DF0367C61
                                                                                                                        SHA-512:4336256E99FD76E955BB6F97A78A3799B9EDE011E5A14722708B9F946E7D96A6F119EB97E1BFB3D63606176DB0258667BA2537B5473D67EA60830CB7CBF145C9
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ......q............ .......................................!...........@...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_chs.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):481480
                                                                                                                        Entropy (8bit):7.945745343613268
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:u6sd5H8CrSva/xlDW7ye1/RpQQa5gbaNdPrRYIT:qd3FEnQrgbkMIT
                                                                                                                        MD5:2C1B85BDDC9D751372D132D797A347A2
                                                                                                                        SHA1:61220129EEAA4A3F206585C966E9BC420083EE6A
                                                                                                                        SHA-256:2C713C5E51C66E83D6BED6424A040F7FA982ED6EB1107E32C831CF850FD402CD
                                                                                                                        SHA-512:733AB1136804D92FAA664FC63F3D9EDC9B67EAA38E57B753CFCFB9187D79EFC2BEF678088B3C8455AB7DCD56C8B8D5A02E38EFFD23C67FA8872F0A631E8EBD13
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................".......c... ........... ...............................j........... ......................................,................>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...,...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_cht.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):475856
                                                                                                                        Entropy (8bit):7.946227600962261
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:5DNAsVv4BCivf7BhoScdfGAXTZPxHnso/Pw7jtqIoPGf4xnrjqAVfqYa6NIf:V6sVv44iH7lcdRtPdnsowV7HfEyEw6
                                                                                                                        MD5:67074BA8EBCDAB9FE075FD46F222321C
                                                                                                                        SHA1:5A65796275DC8A7522FD9E3A17ADA24B6B1D7822
                                                                                                                        SHA-256:9BA0D7345DD28EA7D628EF73F5144653422FC7828DD7DF0EB54713B92D89035B
                                                                                                                        SHA-512:48A27445CE4FE0764070AF5FD09D19F243B56493082B54887242341F123A735E0420DF27DEC8CB5E0637E5DFDDEC863D5E72905D3B736075C864D1EC5E4FE7C0
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................".......c... ........... ...............................Y........... ......................................D................>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...D........x..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_dan.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):483016
                                                                                                                        Entropy (8bit):7.945617825084998
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:16sKOYWB/9jvGiNW4N0n5nq1eI3LQFNo3:/KOn9bGb4NwZq1x3EFC
                                                                                                                        MD5:E63D712D66814D08449B347B19EA1AA7
                                                                                                                        SHA1:455023E78AE4E8CEE0325B37D3FC5FC98A66B4D4
                                                                                                                        SHA-256:5AD0D90713BF4785121603F76BF09D85B6BFBE9CD269A07BB1198FA486D1372A
                                                                                                                        SHA-512:981379AC3425A1338C3571AF4F1E2241B6A15572A6194116F5B88E7E33A62A2AF9D6A7F3F7814C23D8826AB33D8FF8645505B62F71F29BD576C228D6B95CDFDC
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ................... .......................................!........... ...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_deu.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):485576
                                                                                                                        Entropy (8bit):7.944430110766656
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:Q6sDj1Xnkm2fBZkeomBYkI4zYRV2mwQZegN0jSPztlY:gDj1X3O2mBTZmV5/Qu1zc
                                                                                                                        MD5:7D6C56DF9D318E4326E95726246C282D
                                                                                                                        SHA1:81690644056301B48FCB44BA4DB55BDE53CAAD0F
                                                                                                                        SHA-256:9BD0F67A6C595E980DD1A6AFE63CF7942AC5ACFC88407621B616B29BCF9C8EA5
                                                                                                                        SHA-512:7B9E6601628CBC8AE03930BD9B3EF575735B21605237491E73D3E4744E37D3DC4D26C932FA5842DFD9F2F862596D0436E44BD42A05FE32F7B32FAFA00FB7024D
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ......I............ ......................................."...........*...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_esn.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):482512
                                                                                                                        Entropy (8bit):7.946061569797945
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:H6swZtfoxTvEX5ppPlD4yNm4007TMFMr:lytfo2X7pPlDlNNv7TMFM
                                                                                                                        MD5:2A8C4E1C3A3247CEF40CDA839DF4FD0A
                                                                                                                        SHA1:0EF01E3EFA9F76D7421E032865DC574A5396EB9F
                                                                                                                        SHA-256:B2414568254FE0DC03825EEBB300287843920E46AB54F3DB976974AA87B7D9D9
                                                                                                                        SHA-512:35CD0340CF47566ED7397F61E8A67891CFB4A99240D32E1221C2C9D29A2417212EB0E618F01FADDA45343DAF1FF624EABFB4F435A04B24FFA450B8FB75A2D6DE
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... .................. .......................................!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_fin.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):485576
                                                                                                                        Entropy (8bit):7.94374799267307
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:eDNAs95KcQ09zSclwisRv3s8SMwjeJV9IWO1ZJk2ALGLCpe+kMVSpn6asCpq06M9:a6sOa9znGC8ueJIx8t9E9YasITqTf0wY
                                                                                                                        MD5:6F84EC869BFD0A9A04B50ADC436FF418
                                                                                                                        SHA1:48C0A4FF5335F5797B7DB6303304D000624B3E88
                                                                                                                        SHA-256:4CA0275D46EDD0D28BA8C793CFA6E683CB31E367C9D28ADCC81C90305D8325AF
                                                                                                                        SHA-512:72EC9850F839E8B1368DB51B1E563421B3B02B3CCA8FDC7C8A444A319ED435770EE1D86F37DD0148C6267AE62A2C503158221DC9BB0DA2FEFD50619BC351E273
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... .......D........... ......................................."...........*...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_fra.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):481992
                                                                                                                        Entropy (8bit):7.94125870267983
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:t6s3wvUX77KlqkDGXFF+ALzf5eTVwTPcVm/BFlw2IEPJf:H38u7WqQc8Vwbc8/BdIe
                                                                                                                        MD5:880807C087D6CB9002BEBBD19DFBEE0B
                                                                                                                        SHA1:36750BAE95429AC48EE5E46B2EEDB27C5551D90B
                                                                                                                        SHA-256:B1A0EC74E264DFC49C0D3E8D9EEDD10F840156B78C0538989A22BF1DA74B9A61
                                                                                                                        SHA-512:F0493D78F4410BC1ECFB8B24E63A941DF4875C036508343A1A61B9AB0E941D44F941418B8D244102A206AC00F5ED4335DC551C6F1F976CDFDDC25BB7106DF089
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... .......N........... ......................................."...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_heb.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):487112
                                                                                                                        Entropy (8bit):7.9491582760888555
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:46s9zsQnPNHXxUVhHZccCxvxcy4p6DMIlhIc9l:Y9zsudBU/nsvi/pKMIlD
                                                                                                                        MD5:E729833409ADA3718EACC83147FD0D09
                                                                                                                        SHA1:DC4AF587C656F1F7D0C3AB77BE6B3B999FD541D7
                                                                                                                        SHA-256:546624660A4932227A57091E855E57C6ED9320357BDA99BECD43AA7F8407E334
                                                                                                                        SHA-512:743F87AB621AE38A6315829D8937EC4C51DD6E51D246B4EDA58F43EBD6EDD3153B674E45797A0C35FD8C351FEB0F66C709A74E6D62DD75273781DFEF623578A8
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ................... .......................................!...........0...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_ita.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):483016
                                                                                                                        Entropy (8bit):7.94464882649723
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:g6sl9v5GPmegmE865CYQabABaev3r5CnClBd:wNZeYcYjwzYnClv
                                                                                                                        MD5:1920EE36B0A4E4A0DB13FB0373121ABD
                                                                                                                        SHA1:5E35CB15B877411F0ACA299653BFBE45B3C285CB
                                                                                                                        SHA-256:A03770728A38628C15BB64C635AEFAF66646E0A44D4398A0B1E6EB3D4FACA92F
                                                                                                                        SHA-512:9304B858FC0C82623CA26C28B4EADB07A0F81A2E0F6B31DA02A6BF873A2904240D2DCF48E5AF2F6A0520DFA81DF77CB85DBD2A6BB42BDB188339264C5DB14F41
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... .......O........... ......................................,"........... ...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...,"..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_jpn.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):485576
                                                                                                                        Entropy (8bit):7.946284501132917
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:06szPfx12M3HSmgvDMvRq024wCer8z3c4MnXk8BFy/u1S:EzPv2aSmgrWRq0xwDr8c9kJ/9
                                                                                                                        MD5:8CEE83AD7195D9C01CFA5F0AC54131A6
                                                                                                                        SHA1:AEF2336000A15C8DA681F5D3EB8C1D7BBA15E693
                                                                                                                        SHA-256:C2BAA74B413F7134E1781EA9358AF3C24B11E5F349460BBE8F3272761ED10FFB
                                                                                                                        SHA-512:54C3A87DDE98FC4184F40B9929EF123FAB04520A5FBD7B49030FA00A9D7A61EA51E6B2957245AB5A95758A394D298B23DDBDD073F56082945C398BB3723A43EE
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ................... ......................................$ ...........*...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...$ ..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_kor.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):477384
                                                                                                                        Entropy (8bit):7.9463516123943565
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:46sF2my6F/B5pqXYILs+k/B5DiwnSPtWF9ruWEq+Fn:YvyIBvr75/Wwi8FuWENn
                                                                                                                        MD5:FF79A2F6BBFCD5FC15C31F87293C2FE6
                                                                                                                        SHA1:1A3D40675F699C14D475EC35F555E1F4218CD73D
                                                                                                                        SHA-256:320EC8DA239F9AE4F42346B1987C5D9FA87D0A79AF3ED1F17BDE2E00969BD805
                                                                                                                        SHA-512:D7379EA1D53840F2C291C3DDDA7060F187F14384EC16963003637BE3F5968033739FE8E004F04B03199B5DC8899E8719660204BABC5A0E938D4CEF081AE745E9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................".......c... ........... ...............................-........... .......................................................>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc............~..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_nld.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):486600
                                                                                                                        Entropy (8bit):7.943996013436308
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:U6sWeIALDyz1HIKbvn/I8dLv5yHGsDgt9wf6y:k7LDydLz/I8h9v9wiy
                                                                                                                        MD5:DB12D209624B39A2C277D69966950B82
                                                                                                                        SHA1:2CBCC5995E2E942523C7A58B69C26AB8F6ACABB7
                                                                                                                        SHA-256:92A8EF829EDF4A43505F69E79019AB9CA24644A49B9859D9885676AA438F55EA
                                                                                                                        SHA-512:A335D1A3CCAA120387AF1A619817935C7C147C41E089530D05C5DC9BE4E02A5233BC7EA81102850BF865F7CACB6726FE7574E4AAB245746F065F03559A29039A
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ......d[........... ......................................<"...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...<"..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_nor.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):487624
                                                                                                                        Entropy (8bit):7.944466657377822
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:a6sUb3FgPcsTDLKZFQT4KA58BWZCpQZ1dnZn0IE41wO:WUbeE6KjQTVW8wspQBZ0IE41V
                                                                                                                        MD5:0C16B7CC28691FF835F075B765326CDA
                                                                                                                        SHA1:2ACEF43E1E15ED0B7A558ED582DE5498641356F1
                                                                                                                        SHA-256:BA62238DD5C4868E96472C33D1CEB10F500EA29BBF49CC370A4A1A1AFA44A345
                                                                                                                        SHA-512:C79B3F767EE90B3A028AE0B30F015BA53BBB348399AF215054A3D8D731BB7E5B7535008C22FA22C603F29D4AF47A6AA1365D28841234A40FA7F9135ACA0C5743
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... .......;........... ......................................<!...........2...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...<!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_plk.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):485584
                                                                                                                        Entropy (8bit):7.9442158938209735
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:N6suBIuDVdpetlUnZrt3DhY/W8H7O391Hq9:nmIuZFZrQPO32
                                                                                                                        MD5:A3BE4F173E9E87AFF860FA84A97FB594
                                                                                                                        SHA1:FAF06F5575AAA6AAA5C2A8771A8EC33DCA506FFC
                                                                                                                        SHA-256:68C095F6CF10E89E26FC45F6251931A8A2E5AA45016DDCD1F8C99EDEA195DFB7
                                                                                                                        SHA-512:16583E851CED0F5B460E90CC749CD4EDD48A3C9072B6A596DC6DA073A51E663DA99513E8900003CE03D2029F925C6F4F6239EB065A45CE9E3A389D97459DBDC7
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... .......W........... ......................................."...........*...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_ptb.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):487112
                                                                                                                        Entropy (8bit):7.944279006920532
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:C6sC+KpOSeRbz1MrFjmw+NhJ9f1SJAp9OGECLkn3C2Js++d0SO9aq:OtYJIbBMrFjmw+X3fYM9hBknyhpBON
                                                                                                                        MD5:827FE9E1189D995FBFE524B71A0F0513
                                                                                                                        SHA1:9494D5EFCD52CB1121DD74157529A24279032051
                                                                                                                        SHA-256:37FAC212CAE54B5800F5C52D016CD83D7F400C4401D3557C5F214DC7C16ECF9A
                                                                                                                        SHA-512:44579D73F35FEF8362D014822B0439882C7EA90C79C72EFF14D4BAAA4EC55D4DAA55B01F110EBBCCE3E22031381B1AAF1C098A082C61CEC28B76EB179EC42EA6
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ......Z............ ......................................,"...........0...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...,"..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_rus.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):492744
                                                                                                                        Entropy (8bit):7.9465527932963305
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:R6saVrdhvk328JgfPwQc95N5VEHR1nIuIrYr:b0rbKnCfIh95rVs1IuMA
                                                                                                                        MD5:8A0357DD262EACA614B7702BB540BF3C
                                                                                                                        SHA1:561BB3FA4AEB24E8B5313F65F36161DE3C5DCA67
                                                                                                                        SHA-256:4D850FF4C2A67C7B012E7390AA5B569DDA76E58C3A5496C68D5D2502C3F85A0E
                                                                                                                        SHA-512:2F0DECCA4B5F2E0CAC84D8BB8A4A9047FB8D936975D2ECAA9A498A99902662D8CD7B50552976CEC70AA6EE4915CA9CEE0B0DF030A02C373CDDF64131BE1D1D98
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... .......<........... .......................................!...........F...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_LP_x86_sve.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):482504
                                                                                                                        Entropy (8bit):7.943934222430446
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:XDNAsC7dcsanEdAAwnEKFC1BVNiRvyQ95lLCbjZBkqdu5ccYeESB6h7FNrotTSNS:T6sC7RvwEs1pCb9aqaBESBsNrKTaBQwq
                                                                                                                        MD5:D2491F372D0206755CAEC6C8B94F9E7A
                                                                                                                        SHA1:01DB070FD731D26BD318A9B7CEBDEA24017A4F9F
                                                                                                                        SHA-256:05B114B2D95F0B25399DDEBFEE49B6E0A26A78B8631A7E3D8BA2145450D89A21
                                                                                                                        SHA-512:4C06304A0F871528B85B882F156C438F8B6B8DAF8F6E1F9129724A8E48EF1B5FB5600C7B28875623D28CABF7014E3BA372781F4D0FB0148FD2AFD39F40AF3E6A
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... .......@........... .......................................!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_x64.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):2722992
                                                                                                                        Entropy (8bit):7.997254745166301
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:49152:2Lg3Pdm1YYh2T/X4qe+QIy76FFNr98vsX6bksV/pnA7qIqfZfc6:6GI1YY+XXQUFFN5K44/m7qth
                                                                                                                        MD5:299A451E3DA67D8E661AE2F22F1ABC5B
                                                                                                                        SHA1:B88B1D7C7E4FB23AB02425D5A98A2FACAA20BEA5
                                                                                                                        SHA-256:5794BA20826200174BA3B38FDCEAD8E82E9B094798F99BD2F524E55B16DEA2B2
                                                                                                                        SHA-512:D567860B0815F1583AEF24D4BC79FD37D9DF227B5414F5FB4C6EC641FD8FAFF9567F87471DE4F3620CFDA9B8A806BC88D25235F1F8CA91BF1E392472DD2F91E3
                                                                                                                        Malicious:true
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ..............................2.*.......... ...................................................N)..>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............(.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\vstor40\vstor40_x86.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):2430128
                                                                                                                        Entropy (8bit):7.996503929638374
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:49152:Mugdvdso6oGwFXmww6JDeOcrdMbsB0jJMFO9JRtnri+W0rSZX3:LqO3aXXJD0zCGeW+W0+3
                                                                                                                        MD5:B354420B866F670FE69EC8C7611CAB23
                                                                                                                        SHA1:B2F2AC0869232CCA28FED253330CC630DC08159F
                                                                                                                        SHA-256:4BCE19AA9CE251A5F208BE8AE5FF11E92D0E0878F1CF4ADD25E367E5D89810A7
                                                                                                                        SHA-512:A93B666C5F1A306B7FD10309F683A4C6497503E65772B273A9C97D59FC53FD5A4C6F5E86F7B5C998D90977F242FE97ED2E9765B8AB89921496474AAA33E0C54C
                                                                                                                        Malicious:true
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ..............................K.%.......... ....................................................$..>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc............J$.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\5dbc7bbf14917454e3442522d4a6\watermark.bmp

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PC bitmap, Windows 3.x format, 164 x 628 x 24, image size 308978, resolution 2834 x 2834 px/m, cbSize 309032, bits offset 54
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):309032
                                                                                                                        Entropy (8bit):6.583379857106919
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:yUDLmozgtuVYKKKvwUbKh5+/uWLspp2e1jSaMsb1bIZU0g0WQbO//QGVYBtGKQgc:yUDLmozvygKjzbIGgBZBkUfDfc
                                                                                                                        MD5:1A5CAAFACFC8C7766E404D019249CF67
                                                                                                                        SHA1:35D4878DB63059A0F25899F4BE00B41F430389BF
                                                                                                                        SHA-256:2E87D5742413254DB10F7BD0762B6CDB98FF9C46CA9ACDDFD9B1C2E5418638F2
                                                                                                                        SHA-512:202C13DED002D234117F08B18CA80D603246E6A166E18BA422E30D394ADA7E47153DD3CCE9728AFFE97128FDD797FE6302C74DC6882317E2BA254C8A6DB80F46
                                                                                                                        Malicious:false
                                                                                                                        Preview:BM(.......6...(.......t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1025.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (456), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):9732
                                                                                                                        Entropy (8bit):3.790055917221028
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:a6hjIZ3cIewy2NLOJV0BmirQPAZLBLvn6S2/vnYzzXhdPSW:a+YyPi/7z6S23WTP3
                                                                                                                        MD5:37BF48382DFA5F1D0D847F6AC2334527
                                                                                                                        SHA1:4E8BEE51C6D71D297A9B19E42AF822D9E33D6E88
                                                                                                                        SHA-256:0915A72556674A3635AF7137CC6C092E8F7B058984A6C8AAF301C05F0930AEAB
                                                                                                                        SHA-512:F62FCBCA6692F1603F8F71BF06A0F25BC16B979FF947DBDF4646899F7798E8DA8513D52E59AF1DF774BFD77D666B3DCEF0AB9993CD0534AA511483F25C3C62C5
                                                                                                                        Malicious:false
                                                                                                                        Preview:..4.1.H.7. .*.1...J.5. .(.1.'.E.,. .. M.I.C.R.O.S.O.F.T.....#./.H.'.*. .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .D.@. .M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .S.y.s.t.e.m.. . .(.'.D.%.5./.'.1. .. . 4...0.. . .E.F. .H.B.*. .'.D.*.4.:.J.D.).. ........*.9.*.(.1. .4.1.H.7. .'.D.*.1...J.5. .G.0.G. .'.*.A.'.B.J.). .(.J.F.C. .H.(.J.F. .4.1.C.). .. M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n.. .(.#.H. .%.-./.I. .'.D.4.1.C.'.*. .'.D.*.'.(.9.). .D.G.'. .-.3.(. .E.-.D. .%.B.'.E.*.C.).... . .. D.0.'... .J.1.,.I. .B.1.'.!.). .G.0.G. .'.D.4.1.H.7.... . .. *.3.1.J. .G.0.G. .'.D.4.1.H.7. .9.D.I. .'.D.(.1.F.'.E.,. .'.D.E.0.C.H.1. .#.9.D.'.G... .H.'.D.0.J. .J.*.6.E.F. .'.D.H.3.'.&.7. .'.D.*.J. .*.E. .*.D.B.J. .'.D.(.1.F.'.E.,. .A.J.G.'... .%.F. .H.,./.*.... . .. C.E.'. .*.3.1.J. .'.D.4.1.H.7. .9.D.I. .C.D. .E.'. .G.H. .E.*.9.D.B. .(.@. .. M.i.c.r.o.s.o.f.t.. .E.E.'. .J.D.J.:.. ...." .'.D.*.-./.J.+.'.*......." .H.'.D.(.1.'.E.,. .'.D.E.D.-.B.)......." .H.'.D.../.E.'.*. .'.D.E.3.*.F./.). .%.D.I. .

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1028.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3840
                                                                                                                        Entropy (8bit):6.594973868755483
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:IrzzlQecWGSt7npUjeIjrllkzc4k1f89xRnPVfEHnoAEfFC74M/5CyIp:IrFQLStnpY3jr83CfYnPOSLyIp
                                                                                                                        MD5:14CAE1B34CC20375EE409F72103B60E6
                                                                                                                        SHA1:5B5C2506E31A05D39186836DF7E7620FE3ECC935
                                                                                                                        SHA-256:C393F75E8FE6A5A022DAC4ED3EBE5955E93A294DAE83657010165E63A781DF44
                                                                                                                        SHA-512:2A4B83D3AC693C9E6F76EF949DA23C4D46C89D21411587624910EC9BFC8ABBDC12F8DEE103DA6C4025E4204BFC679A95C18CE463CF5A4D8537500B659051748E
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T. ....c.k.h>k .....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........,g.c.k.h>k.O.N.N1u.0..(u6b.. .M.i.c.r.o.s.o.f.t. .lQ.S .(..bvQ..O.Omi.....0..(u6b@bE\OO.v0W....[). .KN..@b.b.zKNTSp..0..N0}.......N.c.k.h>k.0...N.c.k.h>ki.(u.e.N.......S.b.0..(u6b@b6e.S.v.Z. .(..Y.g.g.vq.)..0...N.h>k.Ni.(u.e.NUOM.i.c.r.o.s.o.f.t. .1\r...KN...." ..f.e.z._...." ..X..z._...." ..}...}..g.R......" ./e.c.g.R....FO..N.....v.SD..gvQ.N.h>k..GRvQ.N.h>k*QHQi.(u.0.....0...0.N.}.O(u..sSh.:y.0..(u6b.T.a.c.S...N.c.k.h>k.0..0..(u6b.N.T.a...N.c.k.h>k....N...O(u.0...0.0......0..(u6b.T.a,g.c.k.h>k.vgQ.[....(u6b._.N.g.N.N.k)R.0....1... ..[....O(u.k)R.0..(u6b._.e.0..(u6b.NUO.n..N...[..S.O(u .1. ..N...b...0....2... ..c.k.{.W.0...O.c.k.O(u....^..Q.U.e.0...N.T.}.P.c.O.0..(u6b.O(u...v..N.k)R.0M.i.c.r.o.s.o.f.t. ..OYu@b.gvQ.N.k)R.0d.^..gvQ.Ni.(u.l...

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1030.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (555), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11254
                                                                                                                        Entropy (8bit):3.51311134245129
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:6OcIo5b7V+/JSIYpgIGgeDECRk9wpXmtxqNaswY/xl0KNvBb9UV/UJH8hnWDl4jF:GIGtGOsPsgBpcaGlVY0Z
                                                                                                                        MD5:AAAAA62D4AEE7A562D777D5DECC8B3AE
                                                                                                                        SHA1:9B3B366C282B121913282C9A5105EA9EE0C0474A
                                                                                                                        SHA-256:3056460748BC8349F728DCAA6D38FD2D9FE3547BA5C510572F90055F6B51FAAC
                                                                                                                        SHA-512:4B972860952A02FCB09358FFBFFA2CA3E006ECBD5B1A632BB6C568E2B492EB17CD743351DECA0A989802A8A2272F125544772E3A58EFB259D0D7588303A6AB50
                                                                                                                        Malicious:false
                                                                                                                        Preview:..S.O.F.T.W.A.R.E.L.I.C.E.N.S.B.E.T.I.N.G.E.L.S.E.R. .F.O.R. .M.I.C.R.O.S.O.F.T. .....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........D.i.s.s.e. .l.i.c.e.n.s.v.i.l.k...r. .e.r. .e.n. .a.f.t.a.l.e. .m.e.l.l.e.m. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.e.l.l.e.r.,. .a.f.h...n.g.i.g.t. .a.f. .h.v.o.r. .D.e. .b.o.r.,. .e.n. .a.f. .d.e.t.s. .a.s.s.o.c.i.e.r.e.d.e. .v.i.r.k.s.o.m.h.e.d.e.r.). .o.g. .D.e.m... .D.e. .b.e.d.e.s. .d.e.r.f.o.r. .v.e.n.l.i.g.s.t. .l...s.e. .d.e.m... .V.i.l.k...r.e.n.e. .g...l.d.e.r. .f.o.r. .o.v.e.n.n...v.n.t.e. .s.a.m.t. .d.e. .m.e.d.i.e.r.,. .D.e. .m...t.t.e. .h.a.v.e. .m.o.d.t.a.g.e.t. .d.e.m. .p..... .L.i.c.e.n.s.v.i.l.k...r.e.n.e. .g...l.d.e.r. .o.g.s... .f.o.r. .a.l.l.e. .M.i.c.r.o.s.o.f.t.s....." .o.p.d.a.t.e.r.i.n.g.e.r....." .s.u.p.p.l.e.m.e.n.t.e.r....." .i.n.t.e.r.n.e.t.b.a.s.e.r.e.d.e. .t.j.e.n.e.s.t.e.r. .o.g....." .

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1031.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (660), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):15216
                                                                                                                        Entropy (8bit):3.509492525709541
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:VSQAY05JEzLJgbE8xeuaQOI9cqOANn2fxQ:IYwJEzNgYTuasGlA12fxQ
                                                                                                                        MD5:F4A147B479B0D7F040AF753CBB101AB7
                                                                                                                        SHA1:51DDC77F930486117FA018AD7143EB97B16CB9D5
                                                                                                                        SHA-256:A6133808D01961C10F30CD487DBEE8F07C816EC774A83DE27BD694148222A094
                                                                                                                        SHA-512:397D2997EC95F62FBFDC0AC177F0CB761F52C334C6C08374D16F13F9E156F5B4036927BE696196354B23940BDB042467A8976E3B705830815D1C17723A476044
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T. .S.O.F.T.W.A.R.E.:. .L.I.Z.E.N.Z.B.E.S.T.I.M.M.U.N.G.E.N.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F...R. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........D.i.e.s.e. .L.i.z.e.n.z.b.e.s.t.i.m.m.u.n.g.e.n. .s.i.n.d. .e.i.n. .V.e.r.t.r.a.g. .z.w.i.s.c.h.e.n. .I.h.n.e.n. .u.n.d. .d.e.r. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.d.e.r. .e.i.n.e.r. .a.n.d.e.r.e.n. .M.i.c.r.o.s.o.f.t.-.K.o.n.z.e.r.n.g.e.s.e.l.l.s.c.h.a.f.t.,. .w.e.n.n. .d.i.e.s.e. .a.n. .d.e.m. .O.r.t.,. .a.n. .d.e.m. .S.i.e. .d.i.e. .S.o.f.t.w.a.r.e. .e.r.w.e.r.b.e.n.,. .d.i.e. .S.o.f.t.w.a.r.e. .l.i.z.e.n.z.i.e.r.t.)... .B.i.t.t.e. .l.e.s.e.n. .S.i.e. .d.i.e. .L.i.z.e.n.z.b.e.s.t.i.m.m.u.n.g.e.n. .a.u.f.m.e.r.k.s.a.m. .d.u.r.c.h... .S.i.e. .g.e.l.t.e.n. .f...r. .d.i.e. .d.e.r. .o.b.e.n. .g.e.n.a.n.n.t.e.n. .S.o.f.t.w.a.r.e. .u.n.d. .g.e.g.e.b.e.n.e.n.f.a.l.l.s. .f...r. .d.i.e. .M.e.d.i.e.n.,. .a.u.f. .d.e.n.e.n. .S.i.e. .d.i.

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1033.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (432), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):9698
                                                                                                                        Entropy (8bit):3.3499182192510224
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:ufJFuIu+P8AWybUWhJJhLBKz1+EvgfwtI1c384MTAXc4INUtxNlgWgcxRJomVVCE:YJUIu+P8tdIoXDIWtLlgc7CRB0jSbW
                                                                                                                        MD5:BE6142E24326C7E3F1030B95BBA80D1B
                                                                                                                        SHA1:42E5E22DDACD732754A88F345E08B10A84AB46BA
                                                                                                                        SHA-256:030B04CE7FADC9DA232BE9A76BF35D9ECCCE7EB8C37C5E238095D71397A5AFD7
                                                                                                                        SHA-512:7E8B43A82C2ABF2865E1C8E5526B370831D703A58C0AC07DBB0E3BB1A18685670024D81401639D1C3B42F8E809CF6B8A794D5872B083AC82DEAC281E5F38574F
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T. .S.O.F.T.W.A.R.E. .L.I.C.E.N.S.E. .T.E.R.M.S.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........T.h.e.s.e. .l.i.c.e.n.s.e. .t.e.r.m.s. .a.r.e. .a.n. .a.g.r.e.e.m.e.n.t. .b.e.t.w.e.e.n. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.r. .b.a.s.e.d. .o.n. .w.h.e.r.e. .y.o.u. .l.i.v.e.,. .o.n.e. .o.f. .i.t.s. .a.f.f.i.l.i.a.t.e.s.). .a.n.d. .y.o.u... .P.l.e.a.s.e. .r.e.a.d. .t.h.e.m... .T.h.e.y. .a.p.p.l.y. .t.o. .t.h.e. .s.o.f.t.w.a.r.e. .n.a.m.e.d. .a.b.o.v.e.,. .w.h.i.c.h. .i.n.c.l.u.d.e.s. .t.h.e. .m.e.d.i.a. .o.n. .w.h.i.c.h. .y.o.u. .r.e.c.e.i.v.e.d. .i.t.,. .i.f. .a.n.y... .T.h.e. .t.e.r.m.s. .a.l.s.o. .a.p.p.l.y. .t.o. .a.n.y. .M.i.c.r.o.s.o.f.t.........u.p.d.a.t.e.s.,.........s.u.p.p.l.e.m.e.n.t.s.,.........I.n.t.e.r.n.e.t.-.b.a.s.e.d. .s.e.r.v.i.c.e.s.,. .a.n.d. .........s.u.p.p.o.r.t. .s.e.r.v.i.c.e.s.....f.o.r. .t.h.i.s. .s.o.f.t.

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1035.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (549), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12140
                                                                                                                        Entropy (8bit):3.4775959694086733
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:lqEjZZceoVLtX5KVDeUAFBrjifYjYK9cWFjmDspWKSi3F0qbiyMBN1vploub:8Ej+X5KxehFBQCYW/d3F0qbijLtp+I
                                                                                                                        MD5:B16CE8EB5F0876096A6B2ECB779BA300
                                                                                                                        SHA1:EF71B6B71C22A37C7CDE640AC417E4AABA3ADA06
                                                                                                                        SHA-256:8AD53D31EF9AC9E5166C5E7AC87A6EB9995E688ADEE31158ABEAC242B2494C70
                                                                                                                        SHA-512:62CAFA029F6449A4BDFBDBBC559872CE71A670B4286B37CF2D2A49BA5BB1929D188EE8F21B8BEEB9772E458B1D86CD1DF76F553CB8E4CED9038524690BD90792
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T.-.O.H.J.E.L.M.I.S.T.O.N. .K...Y.T.T...O.I.K.E.U.S.S.O.P.I.M.U.K.S.E.N. .E.H.D.O.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.4...0. .R.U.N.T.I.M.E.).........N...m... .k...y.t.t...o.i.k.e.u.s.s.o.p.i.m.u.k.s.e.n. .e.h.d.o.t. .o.v.a.t. .s.o.p.i.m.u.s. .a.s.i.a.k.k.a.a.n. .j.a. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n.i.n. .(.t.a.i. .a.s.i.a.k.k.a.a.n. .a.s.u.i.n.p.a.i.k.a.n. .m.u.k.a.a.n. .m.....r...y.t.y.v...n. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n.i.n. .k.o.n.s.e.r.n.i.y.h.t.i...n.). .v...l.i.l.l..... .L.u.e. .e.h.d.o.t. .h.u.o.l.e.l.l.i.s.e.s.t.i... .E.h.d.o.t. .k.o.s.k.e.v.a.t. .y.l.l... .n.i.m.e.t.t.y... .o.h.j.e.l.m.i.s.t.o.a. .s.e.k... .a.s.e.n.n.u.s.m.e.d.i.o.i.t.a.,. .j.o.i.l.l.a. .o.h.j.e.l.m.i.s.t.o. .o.n. .m.a.h.d.o.l.l.i.s.e.s.t.i. .t.o.i.m.i.t.e.t.t.u... .E.h.d.o.t. .k.o.s.k.e.v.a.t. .m.y...s. .M.i.c.r.o.s.o.f.t.i.n. .o.h.j.e.l.m.i.s.t.o.o.n. .l.i.i.t.t.y.v.i...

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1036.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (552), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12026
                                                                                                                        Entropy (8bit):3.49731717292859
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:lZ+iMScqwm6npiueEASc7XxKMKgj1ebKH7m5q666j1o3MLycT4oUK5I/S:z+i+U6pMeX2idUkAS
                                                                                                                        MD5:050D6F6B4995E30F1EFE96D4BB7D6695
                                                                                                                        SHA1:823DBF75601238349E516E5A7DA594C9C7EF8C55
                                                                                                                        SHA-256:99E0986D68B69E10C01C296ABD599687209179C76A1614BF614121DBB9B0F595
                                                                                                                        SHA-512:6F95211EA9D38B2B062753811A5BF8E3E02AC58443CCDFEEA379F4278DFBF2254BE7B5CA9B31346BBF9F4AF8537E1927070DF49B2B3DE539F334396CB41CA877
                                                                                                                        Malicious:false
                                                                                                                        Preview:..T.E.R.M.E.S. .D.U. .C.O.N.T.R.A.T. .D.E. .L.I.C.E.N.C.E. .D.. U.N. .L.O.G.I.C.I.E.L. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........L.e.s. .p.r...s.e.n.t.s. .t.e.r.m.e.s. .o.n.t. .v.a.l.e.u.r. .d.e. .c.o.n.t.r.a.t. .e.n.t.r.e. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.u. .e.n. .f.o.n.c.t.i.o.n. .d.u. .l.i.e.u. .o... .v.o.u.s. .v.i.v.e.z.,. .l.. u.n. .d.e. .s.e.s. .a.f.f.i.l.i...s.). .e.t. .v.o.u.s... .L.i.s.e.z.-.l.e.s. .a.t.t.e.n.t.i.v.e.m.e.n.t... .I.l.s. .p.o.r.t.e.n.t. .s.u.r. .l.e. .l.o.g.i.c.i.e.l. .n.o.m.m... .c.i.-.d.e.s.s.u.s.,. .y. .c.o.m.p.r.i.s. .l.e. .s.u.p.p.o.r.t. .s.u.r. .l.e.q.u.e.l. .v.o.u.s. .l.. a.v.e.z. .r.e...u. .l.e. .c.a.s. ...c.h...a.n.t... .C.e. .c.o.n.t.r.a.t. .p.o.r.t.e. ...g.a.l.e.m.e.n.t. .s.u.r. .l.e.s. .p.r.o.d.u.i.t.s. .M.i.c.r.o.s.o.f.t. .s.u.i.v.a.n.t.s...:....." .l.e.s. .m.i.s.e.s. ... .j.o.u.

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1037.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8334
                                                                                                                        Entropy (8bit):3.8337054433603073
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:iO92dirX12J8lnfeVYUWv4xaZFBgL/XW33UuzIiFW:XQirXcqln/FW+gL/XWHUuzVFW
                                                                                                                        MD5:B846A5B933198D4F185A2DE06971A963
                                                                                                                        SHA1:DA063A055694F19DE1B5E6A9C6BADB0EF7DDBB08
                                                                                                                        SHA-256:E6663B3378B4589A3F01E3BDED1EE58A3B2F55640A8DC47DBD43EBC5F203B348
                                                                                                                        SHA-512:F9AD32EC6CE2A76A88995EBF6FA4C42391F94B4D08C748830104B4DAE7CD70ADC24D774A498BF249F5198DE8ACC7FB57A8587EB297DE7AD84AD6D8B397D93B59
                                                                                                                        Malicious:false
                                                                                                                        Preview:.......... ........... ..... ........... .. M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S.. ......... .. T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M.. .(........... .. . 4...0.. . .. R.U.N.T.I.M.E.. ).. ............ ........... ....... ............. ......... ....... .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(..... ....... ..................... .......,. ........... ........... .............). .............. . .. .... ........... ............ . .. .... ......... ..... ............. ............... .........,. ............. ..... ........... ............. .(...........). ....... ........... .........,. ..... ............ . .. ............ ......... ..... ..... ............... ........... ..... .M.i.c.r.o.s.o.f.t....." ...............,....." .............,....." ............... ............. ...............,. ........ .. ...." ............. ...........,............. ........... .....,. ....... ..... ............. ........... .....

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1040.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (594), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):13730
                                                                                                                        Entropy (8bit):3.424486125850018
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:KMkWhFh2Y2AfJBCVASQavc3xh3xBSXwMnuEz3ZZE88agayrq+t:tf/utQXhaukTSaynt
                                                                                                                        MD5:CB8B8B4F0670349C218881941DA8921C
                                                                                                                        SHA1:F9E91570B951F2B3257E0399E2B6353BDDD4DA77
                                                                                                                        SHA-256:FA591351700C4E1FF82BD4D8D0ED7B10C64157A79589ECA2511DFD3F5530463D
                                                                                                                        SHA-512:D112277740BAC01F96B1BD1B09D885BE0F4CCB11D2BAEA7227C1BC63A28C712F7F681BEA5809CE01125446DF149265BE4B54B059709B9B30FD345D9B503BF2FD
                                                                                                                        Malicious:false
                                                                                                                        Preview:..C.O.N.T.R.A.T.T.O. .D.I. .L.I.C.E.N.Z.A. .P.E.R. .I.L. .S.O.F.T.W.A.R.E. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .P.E.R. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.R.U.N.T.I.M.E. .V.E.R.S.I.O.N.E. .4...0.).........L.e. .p.r.e.s.e.n.t.i. .c.o.n.d.i.z.i.o.n.i. .d.i. .l.i.c.e.n.z.a. .c.o.s.t.i.t.u.i.s.c.o.n.o. .i.l. .c.o.n.t.r.a.t.t.o. .t.r.a. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.,. .i.n. .b.a.s.e. .a.l. .l.u.o.g.o. .d.i. .r.e.s.i.d.e.n.z.a. .d.e.l. .l.i.c.e.n.z.i.a.t.a.r.i.o.,. .u.n.a. .d.e.l.l.e. .s.u.e. .c.o.n.s.o.c.i.a.t.e.). .e. .i.l. .l.i.c.e.n.z.i.a.t.a.r.i.o... .I.l. .l.i.c.e.n.z.i.a.t.a.r.i.o. .d.e.v.e. .l.e.g.g.e.r.l.e. .c.o.n. .a.t.t.e.n.z.i.o.n.e... .L.e. .p.r.e.s.e.n.t.i. .c.o.n.d.i.z.i.o.n.i. .s.i. .a.p.p.l.i.c.a.n.o. .a.l. .s.o.f.t.w.a.r.e. .M.i.c.r.o.s.o.f.t. .s.o.p.r.a. .i.n.d.i.c.a.t.o.,. .i.n.c.l.u.s.i. .g.l.i. .e.v.e.n.t.u.a.l.i. .s.u.p.p.o.r.t.i. .d.i. .m.e.m.o.r.i.z.z.a.z.i.o.n.e. .s.u.i. .q.u.a.l.i. ...

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1041.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):5688
                                                                                                                        Entropy (8bit):5.566774799697373
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:JVtKn6a4XgxyG61NDFMf4OoBHiR4JsY/VHHLIj7fhPWuNdkvpyUw:Jun616SHlr/RCPckb
                                                                                                                        MD5:73B71E95088DFFF6CD4C02130FCBC631
                                                                                                                        SHA1:30273B373EE087BB052EA553A5B47C6B441A1FE5
                                                                                                                        SHA-256:4B8453E1DB2094EDF223E7E62B8DA2B1EB761314A3B63B472E546ED82E9C5E44
                                                                                                                        SHA-512:3CE8A5214DF78DAB756E077172926521B1CF51801D8220845E27B4B712B7633FB44E7D11FA3732316D690CB4459BC15EF586788BA33DF6A2EE33AA316006093B
                                                                                                                        Malicious:false
                                                                                                                        Preview:...0.0.0.0.0.0.0 ..0.0.0.0.0.0 ..0.0.0.0.0ag......M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........,g.0.0.0.0.0.0.0 ..0.0.0.0.0ag.. .(..N.N.0,g.0.0.0.0.0ag...0h0D0D0~0Y0).o0.0J0.[.ih0M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....0.N.N.0.0.0.0.0.0.0.0.0h0D0D0~0Y0..h0n0QY.}.0.i.bW0~0Y0.0.N.Nn0ag...0.l.aW0f0J0...0O0`0U0D0.0,g.0.0.0.0.0ag..o0.0.N..n0.0.0.0.0.0.0J0.0s0.0.0.0.0.0.0L0..2.U0.0_0.ZSO .(..N.N.}.yW0f0.0,g.0.0.0.0.0.0.0h0D0D0~0Y0). .k0i.(uU0.0~0Y0.0~0_0.0,g.0.0.0.0.0ag..o0.0.N.Nn0,g.0.0.0.0.0.0k0..#.Y0.0.0.0.0.0.0.0.0...Tk0.0%R...V.gn0.0.0.0.0.0ag..L0.N^\W0f0D0j0D04X.Tk0o0.0S0.0.0n0...Tk0.0i.(uU0.0.0.0n0h0W0~0Y0.0...." ..f.e.0.0.0.0.0...." ....Rir...." ..0.0.0.0.0.0.0.0.0.0n0.0.0.0.0...." ..0.0.0.0 ..0.0.0.0....j0J0.0S0.0.0n0...Tk0%R...V.gn0.0.0.0.0.0ag..L0.N^\W0f0D0.04X.Tk0o0.0S_r..0.0.0.0.0ag..L0i.(uU0.0.0.0n0h0W0~0Y0.0....,g.0.0.0.0.0.0.0.O(uY0.0S0h0k0

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1042.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):5848
                                                                                                                        Entropy (8bit):5.495415042980411
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:lSbEI7W+eU2guxMwBQMZ+XYg9MXIAoV7kMozPW:Byuv1RW
                                                                                                                        MD5:9566BBDE8F9374B8B542DD73698621F0
                                                                                                                        SHA1:96B2EA1D13B1603D2DC4DF72F79C8D83FBF831E8
                                                                                                                        SHA-256:EA4E4E4334F40280A4DEE1A79D4757D4E6B18E188BC2B725C65859710B76A3BE
                                                                                                                        SHA-512:1AA59EB6946767F17BF5612329A4AE2E97EBF43CA97435BCBD2E9997EF34EF2EDC4BC83CC5E5DA1662668EB75927C8D255BBE78D31E3EB4DA5069D69418C64B4
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T. ......... ..... .p.t.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M.(..... .4...0. .....)........... ..... .p.t.@. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n.(..... .p... ....... .0.|. ..... ... .X..)... ...X. ..... ........ ..}...... .}.. .....0. ......... ... ..... .p.t.@. ..... ....... ......... ... ... ........... ...h... ..... .... ..... .t... ..... ....)..... ... ..}.@. .t... ...... ...X. .}...t. ..... .J.. .\.,. ... ........... ...\....." ...p.t..,....." ..... .l.1. ....,....." .x.0.7. .0... ...D... ......." ..... ...D.......@. ...@. .M.i.c.r.o.s.o.f.t. .l.1. ....... ....)..... ...X. .}...t. .... .....,. .t... .}...t. ....).........t. .........|. .....h.<.\.h. ...X.. .D..X. .p.t.... ..X.X.. .)..... ..X.X... .J.D. ........ .........|. .....X... ......$......... ..... .p.t.D. .....X.. ..... .D..@. ...@. ...\.D. ....

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1043.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (529), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12290
                                                                                                                        Entropy (8bit):3.467636607529899
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:w+GsQx8VBjxAYR3c6qMPh29ORGpBjyetfaPUt1DDLs9F2tflhCUpOhQGm1AXOyks:SKjZc6+D3t+sOXtAw
                                                                                                                        MD5:63B68FB4C4A125BCCD6722EDE5EF51AD
                                                                                                                        SHA1:7177F5433CE8BB8E632D75C9C3169BD45C9A0096
                                                                                                                        SHA-256:F8A8315A88546FF386B51310821E96D71FD76336B2044D820AC38179B6D05A51
                                                                                                                        SHA-512:8A6C0099987282A7B372F3C4AB9ECEC4FD37B3B53DB0F8A25403AFEFC4110248AAE30629857FBE740AA3567C75B051F27AC5D9510D157C578890C02D82AF1DFB
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T. .S.O.F.T.W.A.R.E. .L.I.C.E.N.T.I.E.B.E.P.A.L.I.N.G.E.N.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........D.e.z.e. .l.i.c.e.n.t.i.e.b.e.p.a.l.i.n.g.e.n. .v.o.r.m.e.n. .e.e.n. .o.v.e.r.e.e.n.k.o.m.s.t. .t.u.s.s.e.n. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.f.,. .a.f.h.a.n.k.e.l.i.j.k. .v.a.n. .u.w. .w.o.o.n.p.l.a.a.t.s.,. .e.e.n. .v.a.n. .h.a.a.r. .g.e.l.i.e.e.r.d.e. .o.n.d.e.r.n.e.m.i.n.g.e.n.). .e.n. .u... .L.e.e.s. .d.e.z.e. .b.e.p.a.l.i.n.g.e.n. .a.a.n.d.a.c.h.t.i.g. .d.o.o.r... .D.e.z.e. .b.e.p.a.l.i.n.g.e.n. .z.i.j.n. .v.a.n. .t.o.e.p.a.s.s.i.n.g. .o.p. .d.e. .s.o.f.t.w.a.r.e. .d.i.e. .h.i.e.r.b.o.v.e.n. .w.o.r.d.t. .v.e.r.m.e.l.d.,. .m.e.t. .i.n.b.e.g.r.i.p. .v.a.n. .d.e. .m.e.d.i.a. .w.a.a.r.o.p. .u. .d.e. .s.o.f.t.w.a.r.e. .h.e.b.t. .o.n.t.v.a.n.g.e.n. .(.i.n.d.i.e.n. .v.a.n. .t.o.e.p.a.s.s.i.n.g.)... .D.e. .b.e.p.a.l.i.n.g.

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1044.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (561), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11576
                                                                                                                        Entropy (8bit):3.4911867001705126
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:nKKfYCs2P6xVcfwVVZV+wVO5lVOwoSNOSVQlVzziV5rVBYkVOvH7uAfOUp22e36y:MOmVL/+3toH8nfQbmZx
                                                                                                                        MD5:1DD661E4AB4409F81706E20E0A397F4C
                                                                                                                        SHA1:3CC5C49839D2E488B96396DE6798A1D44FF8C2C5
                                                                                                                        SHA-256:AD2BC0E4B401F3AA9CE17851D6ED491AF134436A00D5D554A2A70527FF4929E8
                                                                                                                        SHA-512:54B31ECE512DE2F8F9FC17718DCB3EC581BB581C4235FAE8CEFAA03910BC7FE5F434BE70D90F3133FBBDC472702DDBFEC404821489340C308ACDF96AEE47A523
                                                                                                                        Malicious:false
                                                                                                                        Preview:..L.I.S.E.N.S.V.I.L.K...R. .F.O.R. .M.I.C.R.O.S.O.F.T.-.P.R.O.G.R.A.M.V.A.R.E.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........D.i.s.s.e. .l.i.s.e.n.s.v.i.l.k...r.e.n.e. .u.t.g.j...r. .e.n. .r.e.t.t.s.l.i.g. .b.i.n.d.e.n.d.e. .a.v.t.a.l.e. .m.e.l.l.o.m. .d.e.g. .o.g. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.e.l.l.e.r. .e.t. .a.v. .d.e.t.s. .t.i.l.k.n.y.t.t.e.d.e. .s.e.l.s.k.a.p.e.r.,. .a.v.h.e.n.g.i.g. .a.v. .h.v.o.r. .d.u. .b.o.r.)... .L.e.s. .v.i.l.k...r.e.n.e. .n...y.e... .D.e. .g.j.e.l.d.e.r. .o.v.e.n.n.e.v.n.t.e. .p.r.o.g.r.a.m.v.a.r.e.,. .s.o.m. .o.g.s... .o.m.f.a.t.t.e.r. .m.e.d.i.e.t. .d.e.n. .e.v.e.n.t.u.e.l.t. .b.l.e. .l.e.v.e.r.t. .p..... .V.i.l.k...r.e.n.e. .g.j.e.l.d.e.r. .o.g.s... .f.o.r. .M.i.c.r.o.s.o.f.t.s....." .o.p.p.d.a.t.e.r.i.n.g.e.r....." .t.i.l.l.e.g.g....." .I.n.t.e.r.n.e.t.t.-.b.a.s.e.r.t.e. .t.j.e.n.e.s.t.e.r....." .b.r.u.

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1045.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (573), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):13082
                                                                                                                        Entropy (8bit):3.7591618208087683
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:ibWEgc1PPPvwOmRxZVd6JZ2aTf0oB3Fbt7RSBWRVhATL2JdDU949dEKCEz1UaHM1:OWTc1n+DozG8ajKCBasWuGSb69jXbOgW
                                                                                                                        MD5:D165530B6BC4913E3ADBD0CFD70AFCCF
                                                                                                                        SHA1:425FA046024A98D130DE3E6BBC54F31C016B92D7
                                                                                                                        SHA-256:738629B663533391811011782EC18B861D3FC4F99CA991E02D6F3CDAF392818F
                                                                                                                        SHA-512:3ED7D8C1FF6F82E41BD483C96481C6FC2C2400560D57D8DAFD4B80E9C9862A65B7353803D1E32F81D1055363AF747BBC0F7E0CFE4D3137D865C128D641B6BAAB
                                                                                                                        Malicious:false
                                                                                                                        Preview:..P.O.S.T.A.N.O.W.I.E.N.I.A. .L.I.C.E.N.C.Y.J.N.E. .D.O.T.Y.C.Z...C.E. .O.P.R.O.G.R.A.M.O.W.A.N.I.A. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .D.L.A. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.R.U.N.T.I.M.E. .4...0.).........N.i.n.i.e.j.s.z.e. .p.o.s.t.a.n.o.w.i.e.n.i.a. .l.i.c.e.n.c.y.j.n.e. .s.t.a.n.o.w.i... .u.m.o.w... .m.i...d.z.y. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.a.l.b.o. .z. .j.e.d.n.y.m. .z. .p.o.d.m.i.o.t...w. .s.t.o.w.a.r.z.y.s.z.o.n.y.c.h. .M.i.c.r.o.s.o.f.t. .w.B.a.[.c.i.w.y.m. .z.e. .w.z.g.l...d.u. .n.a. .P.a.D.s.t.w.a. .m.i.e.j.s.c.e. .z.a.m.i.e.s.z.k.a.n.i.a. .l.u.b. .s.i.e.d.z.i.b...). .a. .P.a.D.s.t.w.e.m... .P.r.o.s.i.m.y. .p.r.z.e.c.z.y.t.a... .p.o.n.i.|.s.z.e. .p.o.s.t.a.n.o.w.i.e.n.i.a... .O.d.n.o.s.z... .s.i... .o.n.e. .d.o. .o.k.r.e.[.l.o.n.e.g.o. .p.o.w.y.|.e.j. .o.p.r.o.g.r.a.m.o.w.a.n.i.a.,. .j.a.k. .r...w.n.i.e.|. .n.o.[.n.i.k...w.,. .n.a. .k.t...r.y.c.h. .z.o.s.t.a.B.o. .o.n.o. .P.a.D.s.t.w.u. .d.

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1046.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (493), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11036
                                                                                                                        Entropy (8bit):3.5112797883880504
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:1ZBmsLk1avONKePZfwNcem/NfAJmpXjgp:Lbk1aqKe5i0Tgp
                                                                                                                        MD5:FA3D3FDAA9E8578CC7655513917E9275
                                                                                                                        SHA1:ACA28ED87B06300FBDE2BCAF199667C3C24A46B7
                                                                                                                        SHA-256:FD3606645563B8772F3F4E4E2F8262F4E6B66C389B605B3EC1147032A5C93EB0
                                                                                                                        SHA-512:11AF14735EF60735C57BAA6FB82B08AE4AC373B74719D30589B8FA23D97255584B3BF5EB1447F8597FCF31A4408C525E5AE318C2CE1DB974214CEBE914A3AD25
                                                                                                                        Malicious:false
                                                                                                                        Preview:..L.I.C.E.N...A. .P.A.R.A. .U.S.O. .D.E. .S.O.F.T.W.A.R.E. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........E.s.t.a. .l.i.c.e.n...a. .r.e.p.r.e.s.e.n.t.a. .u.m. .a.c.o.r.d.o. .e.n.t.r.e. .a. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.u.,. .d.e. .a.c.o.r.d.o. .c.o.m. .o. .l.o.c.a.l. .o.n.d.e. .v.o.c... .r.e.s.i.d.e.,. .u.m.a. .d.e. .s.u.a.s. .a.f.i.l.i.a.d.a.s.). .e. .v.o.c..... .P.o.r. .f.a.v.o.r.,. .l.e.i.a.-.o.s... .E.l.e.s. .s.e. .a.p.l.i.c.a.m. .a.o. .s.o.f.t.w.a.r.e. .a.c.i.m.a. .i.d.e.n.t.i.f.i.c.a.d.o.,. .q.u.e. .i.n.c.l.u.i. .a. .m...d.i.a. .n.a. .q.u.a.l. .e.l.e. .e.s.t... .c.o.n.t.i.d.o.,. .c.a.s.o. .h.a.j.a... .A. .l.i.c.e.n...a. .t.a.m.b...m. .s.e. .a.p.l.i.c.a. .a.o.s. .s.e.g.u.i.n.t.e.s. .i.t.e.n.s. .d.a. .M.i.c.r.o.s.o.f.t.:....." .a.t.u.a.l.i.z.a.....e.s.,....." .s.u.p.l.e.m.e.n.t.o.s.,....." .s.e.r.v.i...o.s. .v.i.

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1049.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (706), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):13568
                                                                                                                        Entropy (8bit):3.9464247122507095
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:RyqLJFBOFQAfOJIL9OedKezOzMy0sXF971v1rp20:1LLV1rh
                                                                                                                        MD5:8A394C6CD71EC3397391088F851FAB83
                                                                                                                        SHA1:6F4DC77AAF813F8189B44B6F630B715F2F90139A
                                                                                                                        SHA-256:F75B6CEF3E1503951FF417F0FDC58F22455B548B324A30847AB987C55FE4C068
                                                                                                                        SHA-512:D2E5117C30BF7BC3BCA65D8CA00D845FB8A827EBEE57B90559BDDDD4515CADF8AC04D015872420B9543BF66D32BA5C1D3C28CB9BBE654DD5D67E4857648CB3DE
                                                                                                                        Malicious:false
                                                                                                                        Preview:..#.!........./. .....&........... ..... ...!.......,............... ... ..... ............... .......!.....'......./. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........-.B.8. .C.A.;.>.2.8.O. .;.8.F.5.=.7.8.8. .O.2.;.O.N.B.A.O. .A.>.3.;.0.H.5.=.8.5.<. .<.5.6.4.C. .:.>.@.?.>.@.0.F.8.5.9. ...0.9.:.@.>.A.>.D.B. .(.8.;.8. .>.4.=.8.<. .8.7. .5.5. .0.D.D.8.;.8.@.>.2.0.=.=.K.E. .;.8.F.,. .2. .7.0.2.8.A.8.<.>.A.B.8. .>.B. .<.5.A.B.0. .2.0.H.5.3.>. .?.@.>.6.8.2.0.=.8.O.). .8. .2.0.<.8... ...>.6.0.;.C.9.A.B.0.,. .?.@.>.G.B.8.B.5. .8.E... ...=.8. .?.@.8.<.5.=.O.N.B.A.O. .:. .2.K.H.5.C.:.0.7.0.=.=.>.<.C. .?.@.>.3.@.0.<.<.=.>.<.C. .>.1.5.A.?.5.G.5.=.8.N.,. .2.:.;.N.G.0.O. .=.>.A.8.B.5.;.8.,. .=.0. .:.>.B.>.@.K.E. .2.K. .5.5. .?.>.;.C.G.8.;.8. .(.5.A.;.8. .>.=.8. .5.A.B.L.)... .-.B.8. .C.A.;.>.2.8.O. .@.0.A.?.@.>.A.B.@.0.=.O.N.B.A.O. .B.0.:.6.5. .=.0. .;.

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.1053.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (499), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11054
                                                                                                                        Entropy (8bit):3.5454751210142135
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:B7VbHl7VX7kMWtxHdkzreZO3rM/O0qZ274c27jUMUojx/nA:dBBtR8wreY7rUoA
                                                                                                                        MD5:F6DA06C04CC888FFC190DF464D840B8B
                                                                                                                        SHA1:D17C109D722F646F322854D6C75C8738C957C84F
                                                                                                                        SHA-256:7CF957BA3B9F5F0E7D9FF36B5D607218A95B4C08CBB7EC8E771AE2BB24F00F91
                                                                                                                        SHA-512:8D4003E52BF2BA592E94AB0B047F4B6E2B3782F52FB22DD0F5B1F6D1D936149E77A66EA409F2DFBCE792EAA1D44098D070F8ACE023789D22CF36D3CC91F3F8A1
                                                                                                                        Malicious:false
                                                                                                                        Preview:..L.I.C.E.N.S.V.I.L.L.K.O.R. .F...R. .P.R.O.G.R.A.M.V.A.R.A. .F.R...N. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........D.e.s.s.a. .l.i.c.e.n.s.v.i.l.l.k.o.r. .u.t.g...r. .e.t.t. .a.v.t.a.l. .m.e.l.l.a.n. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.e.l.l.e.r. .b.e.r.o.e.n.d.e. .p... .v.a.r. .d.u. .b.o.r.,. .e.t.t. .a.v. .d.e.s.s. .k.o.n.c.e.r.n.b.o.l.a.g.). .o.c.h. .d.i.g... .L...s. .d.e.m. .n.o.g.a... .D.e. .g...l.l.e.r. .f...r. .o.v.a.n.s.t...e.n.d.e. .p.r.o.g.r.a.m.v.a.r.a. .o.c.h. .o.m.f.a.t.t.a.r. .a.l.l.a. .e.v.e.n.t.u.e.l.l.a. .m.e.d.i.a. .s.o.m. .p.r.o.g.r.a.m.v.a.r.a.n. .l.e.v.e.r.e.r.a.s. .p..... .V.i.l.l.k.o.r.e.n. .g...l.l.e.r. ...v.e.n. .f...l.j.a.n.d.e. .p.r.o.d.u.k.t.e.r. .o.c.h. .t.j...n.s.t.e.r. .f.r...n. .M.i.c.r.o.s.o.f.t.:....." .u.p.p.d.a.t.e.r.i.n.g.a.r....." .t.i.l.l...g.g....." .I.n.t.e.r.n.e.t.b.a.s.e.r.a.d.e.

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.2052.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3846
                                                                                                                        Entropy (8bit):6.499727744183225
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:X8FCWwwqlvanfFoz6BtIbBCB4jPzkGhuJNCPa:ywwEanfFyYB4jPzkGhuJNr
                                                                                                                        MD5:E4F87C9574925A140374866A97985EB7
                                                                                                                        SHA1:D75F7DCF66317650BE2AC21B6AF5D4D469E68A66
                                                                                                                        SHA-256:B7356FCB5DEB6F7D592D9093949E9D958062A23660381FA7E3D4434BBDFB7F75
                                                                                                                        SHA-512:4624487D2E6FF574BADE4DC642B2CDD4D8D3A2650BCED2C4AB4DB80D8F092D95B25BA5C6AAAE3A4FD68FCA2DF5CC484181020B24A36EC4B10B37F447ECE27C6F
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T.o..N...Sag>k....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........,g...Sag>k/f .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....b.`@b(W0W.v .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .sQT.lQ.S...N.`KN.....b.vOS...0......,gag>k.v.Q.[.0,gag>k..(u.N.N...T.y.vo..N..vQ-N.S.b.`(ueg.c6e.o..N.v.ZSO....g...0,gag>k_N..(u.NM.i.c.r.o.s.o.f.t.:Ndko..N.c.O.v..d.^..N...Q.[D.&^.gvQ.Nag>k........" ..f.e.0...." .e.EQ.0...." ..W.N .I.n.t.e.r.n.e.t. ..v.g.R.T...." ./e.c.g.R.....Y.gnx.[D.&^.gvQ.Nag>k...RvQ.Nag>k.^..(u.0.....N.e.O(u.o..N...Rh..f.`.c.S..Nag>k.0.Y.g.`.N.c.S..Nag>k.....N...O(u.o..N.0.....Y.g.`u..[..N...Sag>k...`.\wQ.g.N.RCg)R.0....1... ..[..T.O(uCg)R.0.`.S.N(W.`.v...Y.N.[..T.O(u.o..N.v.N*NoR,g.0....2... ....S...V.0.o..N.S.c.N.O(u...S....^..Q.U.0,gOS...S.c.N.`.g.N.O(u.o..N.vCg)R.0M.i.c.r.o.s.o.f.t. ..OYu@b.gvQ.NCg)R.0d.^...(u.l._.~.N.`.f.Y

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\eula.3082.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (573), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12638
                                                                                                                        Entropy (8bit):3.4699965008419484
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:KgwKAgOBbaMJ/Gz8nfj1rp4zdYi9+uKYKBn9nTU12K8D3dbuZVSdYT+qCcHd3aIQ:ShGz87j46dKrJi+oj9puTyPUV2G3D4n
                                                                                                                        MD5:2D5E3482ABDC63619421C9BD38E7BA5D
                                                                                                                        SHA1:6F5FD0FA20EF1B621CFEE4257DC71E5967215633
                                                                                                                        SHA-256:8F8AB652D81D3142101177FDDE9C02D8F0C00CC0E0DEB75934785F592375F148
                                                                                                                        SHA-512:9939F85CAF5DCCFC224C281D970EEE22C6182BF57761B98BDD4C3F74FFC0B7700DA34E6CD497153AA878EFB8D140AAB06AD7A2EB7BA009C9629DFB65982E9FE2
                                                                                                                        Malicious:false
                                                                                                                        Preview:..T...R.M.I.N.O.S. .D.E. .L.I.C.E.N.C.I.A. .D.E.L. .S.O.F.T.W.A.R.E. .D.E. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .P.A.R.A. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I...N. .4...0. .R.U.N.T.I.M.E.).........L.o.s. .p.r.e.s.e.n.t.e.s. .t...r.m.i.n.o.s. .d.e. .l.i.c.e.n.c.i.a. .s.o.n. .u.n. .c.o.n.t.r.a.t.o. .e.n.t.r.e. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.,. .e.n. .f.u.n.c.i...n. .d.e.l. .p.a...s. .e.n. .q.u.e. .u.s.t.e.d. .r.e.s.i.d.a.,. .u.n.a. .d.e. .l.a.s. .s.o.c.i.e.d.a.d.e.s. .d.e. .s.u. .g.r.u.p.o.). .y. .u.s.t.e.d... .S...r.v.a.s.e. .l.e.e.r.l.o.s. .d.e.t.e.n.i.d.a.m.e.n.t.e... .S.o.n. .d.e. .a.p.l.i.c.a.c.i...n. .a.l. .s.o.f.t.w.a.r.e. .a.r.r.i.b.a. .m.e.n.c.i.o.n.a.d.o.,. .e.l. .c.u.a.l. .i.n.c.l.u.y.e. .l.o.s. .s.o.p.o.r.t.e.s. .e.n. .l.o.s. .q.u.e. .l.o. .h.a.y.a. .r.e.c.i.b.i.d.o.,. .e.n. .s.u. .c.a.s.o... .E.s.t.o.s. .t...r.m.i.n.o.s. .d.e. .l.i.c.e.n.c.i.a. .t.a.m.b.i...n. .s.e.r...n. .d.e. .a.p.l.i.c.

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\globdata.ini

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3212
                                                                                                                        Entropy (8bit):3.5554609285205743
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:rU7j7276P7Q7rWQPKFBFe7ZE7+7Yg5X747LYkfYO:U/q6zUyAUu6iv5rsIO
                                                                                                                        MD5:7E29745BB901DAA24C6391F8DA54B399
                                                                                                                        SHA1:BE24A497828A051C65E5EAC58DF36E45A0F30DA1
                                                                                                                        SHA-256:0DA855F1FFF35AD6B627EB1C6D302D3DB6960E5EB60DCD1065DA187624D36AF5
                                                                                                                        SHA-512:16A52F79C28963ACC6FBA9DEF64B912155847332717E3D6E13A0309623768C16712B3667346597EFD720289FC144757768C60E0754F177C2CFC9554DCF039DAE
                                                                                                                        Malicious:false
                                                                                                                        Preview:..[.P.r.o.d.u.c.t.N.a.m.e.s.].....P.r.o.d.u.c.t.N.a.m.e...1.0.3.3.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .(.x.6.4.).....P.r.o.d.u.c.t.N.a.m.e...1.0.4.1.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .(.x.6.4.).....P.r.o.d.u.c.t.N.a.m.e...1.0.4.2.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e.(.x.6.4.).....P.r.o.d.u.c.t.N.a.m.e...1.0.2.8.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .(.x.6.4.).....P.r.o.d.u.c.t.N.a.m.e...2.0.5.2.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .(.x.6.4.).....P.r.o.d.u.c.t.N.a.m.e...1.0.3.6.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .p.o.u.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .(.x.6.4.).....P.r.o.d.u.c.t.N.a.m.e...1.0.4.

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):792728
                                                                                                                        Entropy (8bit):6.06909961626245
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:SjsYryw7kNihcR24YvI0g7iWxU0urSNsa+/Qpi2fncx9u6lB:XYrP7k8iuH4+GIgk
                                                                                                                        MD5:D2AC2D95581DB0D6B52757C2ED839E85
                                                                                                                        SHA1:E592B595B74955A58F2F871CF90CFC686DCD871B
                                                                                                                        SHA-256:14FCE0E16AF46F78FF399C98F2B937D40B3C3E6D8AD9AC9D5773BFCEB3049BBE
                                                                                                                        SHA-512:DF8F2EC89ABCD246ED13F6E61E859C253416C48BF8A1D860A9875BFE1AF3A2296F2BC7079B05653240A41CEFE9AFFE8D5A14FB83790664DA58200F3CE351D0C4
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=.f{n.f{n.f{n...n.f{n...n.f{n...n.f{n...n.f{n...n.f{n...n.f{n...n.f{n.fzn.g{n...n.f{n...n.f{n...n.f{nRich.f{n........PE..d...co.W.........."......,... .................@..........................................@.......... ......................................h?.......P..........lH...........`...... K...............................................@......89.......................text....+.......,.................. ..`.rdata..p....@... ...0..............@..@.data........`...B...P..............@....pdata..lH.......J..................@..@.rsrc........P......................@..@.reloc..l....`......................@..B........................................................................................................................................................................................................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.ini

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):13146
                                                                                                                        Entropy (8bit):3.458299984410832
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:e+bBI+eziLMDwETkLpJVXNG/aqWTD5a6wPfaI5aC:xbBpeqSypw3aI5aC
                                                                                                                        MD5:61CCEE94B07C323A2BEFB2D107BF4309
                                                                                                                        SHA1:28A0579785FF62CFBEB0315F3042510B0292A776
                                                                                                                        SHA-256:021ED1EF592805805AE6E3F8301C7360B0BE7634EFFEDF51FA471BC0C8CCF93D
                                                                                                                        SHA-512:C52A68782FDD9E23BD2A3C25C727BB3B1FEEE87FAD46F48C59633E4076DF74AAC19F84758128ABB0584623C8881AB8167C1C9FBDF36BB0EA6DBF3C7A0C630B7D
                                                                                                                        Malicious:false
                                                                                                                        Preview:..;. .T.h.i.s. .f.i.l.e. .M.U.S.T. .b.e. .U.n.i.c.o.d.e. .e.n.c.o.d.e.d. .a.n.d. .N.O.T. .U.T.F.-.8. .e.n.c.o.d.e.d.,. .o.t.h.e.r.w.i.s.e. .i.n.s.t.a.l.l...e.x.e. .c.h.o.k.e.s. .o.n. .i.t...........[.S.e.t.u.p.].....P.r.o.d.u.c.t.N.a.m.e.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .(.x.6.4.).....P.r.o.d.u.c.t.M.s.i.=.v.s.t.o.r.4.0._.x.6.4...m.s.i.....P.r.o.d.u.c.t.S.u.p.p.o.r.t.U.R.L.=.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.D.=.1.3.9.4.6.6.....S.u.p.p.o.r.t.W.i.n.9.X.=.0.....M.i.n.N.T.V.e.r.s.i.o.n.=.5...0.....C.h.e.c.k.A.d.m.i.n.R.i.g.h.t.s.=.1.....S.h.o.w.F.e.a.t.u.r.e.O.p.t.i.o.n.s.=.0.....S.h.o.w.D.e.s.t.i.n.a.t.i.o.n.F.o.l.d.e.r.=.0.....L.o.g.F.i.l.e.P.r.e.f.i.x.=.d.d._.v.s.t.o.r.4.0._.x.6.4.....V.e.r.b.o.s.e.L.o.g.=.1.....R.e.b.o.o.t.M.o.d.e.=.1.....B.i.t.m.a.p.F.i.l.e.=.....C.u.s.t.o.m.T.e.x.t.P.r.e.f.i.x.=.....U.I.L.a.n.g.u.a.g.e.=.0.....U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.=.1.......

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1025.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):45736
                                                                                                                        Entropy (8bit):5.062351030831879
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:axO/Oa8qN0VePDXixFKLCBDXil4qu5yRRDFNXiQ+:axO/OaGePDXixUwSl4qSkRDFNX8
                                                                                                                        MD5:3481CC60626CB72B894D13D6A655BF13
                                                                                                                        SHA1:9DC47EB83B55A84A54F55DB03D57F3BC27D9F160
                                                                                                                        SHA-256:D43AA24D8EA2B548D6E1D787DA14CCE75D6E0F4F1BB8C7D7CC18F91C93078E44
                                                                                                                        SHA-512:349563E2B22B57F8DAA1D4A293DD4545F7C5D8EA5F1418789195447C7B30B0106A5BFC0EC8997ED6D53826FA8E36D9CEF07578084B1BBC9AF94A892F0D46FE00
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ................................................................P.....@.............................................................l............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1028.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32936
                                                                                                                        Entropy (8bit):5.746882227872104
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:ov/xRYLwO/JaZMmNg9u34ciia97NZeTiaWOUWhy36q0GftpBjcfPA:gVO/Ja2gx3av1Nk+66ki0PA
                                                                                                                        MD5:0C601DAD444BDF0C58CEAFA671BEF628
                                                                                                                        SHA1:C2F462124BADAFEF63A257D479241DCA9A6BB8CE
                                                                                                                        SHA-256:84C7F3F0AA2A749BF931CD6A832B46C434DA7E2B750B64E9B2240649D585F6B1
                                                                                                                        SHA-512:711FC6CBCC7A9DF0375F920A7033CAAC352BFDB4398D1887B8EF892AC74C5B934A94BB16B21CF90FD8F42F67B5EF1A16A3147B00B7A53B3038825F246E92CF82
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .........d.......................................................T....@.............................................................Hc...........f...............................................................................................rsrc....p.......d..................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1030.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):50344
                                                                                                                        Entropy (8bit):4.470125919928137
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:Rn3RYLf+O/L0aR0UiVTAv7UXn6eTODS6kQksW05UW3aCIc3q0GftpBjte8:Bq+O/IaR0tVTAjS6su7i3P
                                                                                                                        MD5:129015CBD620FA7DBDA9BDCE876B0D65
                                                                                                                        SHA1:9872A0FD0B1249D8FE6FC5BAA21A0610A2853C2B
                                                                                                                        SHA-256:D4D1FFEDDFECFF4933187A8FE2E215DADC8C70C7BA2BD2BD12F9304C8E7227A1
                                                                                                                        SHA-512:02FB382EAA55BB12C7D09E7E326587EA255FB707B3EA1E38004C1541668BD3AB253BBBFE97DA31F9934CF9C5FAC6AB47C63291CEEB2782B97EE3DC67F22082F5
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .................................................................;....@.............................................................x............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1031.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):53928
                                                                                                                        Entropy (8bit):4.436532581521845
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:muO/yNab5fDNh5T8fdXWohToh+ohvodoEugvhGKQG56KjtrE4HEruwr2U:3O/yNab5fDNPT8fdXWohToh+ohvodoEO
                                                                                                                        MD5:E42F6B340C6C27C0BDD3312C73B23E57
                                                                                                                        SHA1:E3021824C46E09812F3B9852C7BE8443D4FFAE40
                                                                                                                        SHA-256:F33E77BC556D67DEEE27BFC2C69E7560BBFF3ED04DE6DCB45E8CF751C7CA87F6
                                                                                                                        SHA-512:A6D4E065D474080C5D13A393BE761172EC96A606B14BBD66CE54EF4100A88618274A746B429494B89BC405347A5223D5C77096A75EAD90342A1559B344CE7637
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .................................................................A....@..........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1033.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):48296
                                                                                                                        Entropy (8bit):4.4173941835656585
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:SnMWxUW7O/iaqnrPy9YmhjHs429cCyuirvIGP+igty/+umE9rvvPUz//nn6MNibE:SLBO/iaqexK6UMQiAr
                                                                                                                        MD5:8C83DF42AF6C850F758D8B43D8A058FE
                                                                                                                        SHA1:5B775ACE433DB2F270C0EE798E7DBD3DA337DEEA
                                                                                                                        SHA-256:968BA1F17D1155F69E2717001EB820C506A981E8E26654D6E5EDB08B48EE8123
                                                                                                                        SHA-512:409DF7DD28CE137B8CCC132CBADA901FDB4AEEB5E7D0C59098B0BE286034FB07C91108635B88AB44C8C76887C108551990F136AEA2E3F3EC0F0B2A973D52C8A3
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ................................................................Y.....@..........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1035.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):49320
                                                                                                                        Entropy (8bit):4.445758536014717
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:2PHRYLjO/Njah2Sha9NUJaSvdr+0JuyXpng8c/wGgqwEWhFBW9UWJaCIc3q0GftN:+kO/xah2B39YSy7pn6/8hnoZiQM
                                                                                                                        MD5:66BBD942827EF6795902CA697F67B1E4
                                                                                                                        SHA1:19451B896B167BDC5B3D15B3FA4B29230512ED1E
                                                                                                                        SHA-256:D8A8664B3CBC52E9242EB319D6F9A9B265B0154C2614ECF90F4983D774D92FD5
                                                                                                                        SHA-512:28A5100B0E16C1E31CF92266C7C5839A8983B146763010C60EB8F4B3175BD271507F895F601BF0462BF486ADDB21D9C94FE2327C66495EDCE6E77B95358FC08F
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ................................................................N.....@.........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1036.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):54440
                                                                                                                        Entropy (8bit):4.404258423359341
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:hf9RYLUO/PaXpZNVr1gy/1GCH4BXbmu9uqnsJIHeuFVUwP9ZdLrNgyNgAHUcF+8z:5lO/PaXpZRg41isJafbfgN8zviLC
                                                                                                                        MD5:A3109A9AD26BA92914A92B32EF148DA0
                                                                                                                        SHA1:746CDD52A17C777E423E45AEA70884EE3617A50C
                                                                                                                        SHA-256:57F3AEEBD81CC6DB17A7F3A3E7E4B6225D9CC4F481943CAD085AA5ABC35ACAF5
                                                                                                                        SHA-512:D69556139B1F7DA098AC76DDFEDDA11D92DAD199A5C16EC6EEC7F4A0E6AF676F4A05675BDCC036AB72D7F2A72E4918805551F7B727A34ECD441C776C178F632D
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ................................................................{R....@..........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1037.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):43688
                                                                                                                        Entropy (8bit):5.1194883050998365
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:HnIRYLrd4zR7/OeR74l5K6W/Xf0tEJzXy0LEvisgRWpUWmaCIc3q0GftpBj4:HFd4zR7/54WVf02JzzIqrkIiq
                                                                                                                        MD5:CF69682175090ABFC0B9CEBD4CC40335
                                                                                                                        SHA1:59A11C03D1CDE57E964445B3A0A68748B4B3706F
                                                                                                                        SHA-256:368C2ADACC0C674D1F742490617E71DD22D93127591A8FB00298E16FCA48AE4A
                                                                                                                        SHA-512:55AD3A31FDFA20FAABC4BBBA1C6E04419131E7C613CD64845BA1CAF992A92FE2B5F9888B6676656E90E940C19D1573DDD41C1CCF51B54E597106CB3D61F41C9C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ......................................................................@.............................................................$............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1040.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):52904
                                                                                                                        Entropy (8bit):4.399710337546162
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:iTDQRYLxO/2aduf/7pBxw267DbkWhqK+plHho5kI7WaUWQaCIc3q0GftpBjJl69:uDjO/2adCWbkWhqKxkOeijl69
                                                                                                                        MD5:268233FDBDC6E59C4D24906088D5041A
                                                                                                                        SHA1:F0940E01C229766FFF2340B4044E5C4045F84B0C
                                                                                                                        SHA-256:6E1D9396863ADD2E1E1C52499BA98DEF053F3B9775D79F7E4EE020DA5220317B
                                                                                                                        SHA-512:90FB2778258441E4E23153217CDB90A7262990D585A507BB0D8D5898F22724CD7BB856CDD27CD92093CF155394C6E442AA0F2BA19761AFFE5D980E976CA1CA41
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .....................................................................@.............................................................l............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1041.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):38568
                                                                                                                        Entropy (8bit):5.558295085602389
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:ffn8RYLVO/9a4dnN4DJyXeM3cEjf6frTseeHYS7KBeDBW7c7PpWeUWPy36q0Gfte:33O/9a45N40XQEjif3+BW7cD0kiA
                                                                                                                        MD5:AD734806F4812A6F7D71E9871CCB220D
                                                                                                                        SHA1:A3B081C226EC11EC9976A271D63E600A1BB8AD9C
                                                                                                                        SHA-256:43229EFF1684D081D1A1113768C745487A25A422EF351B836EEE3EB8B8F5E325
                                                                                                                        SHA-512:CC478E639FDFB2F79209D603BCBC1D92EAB62D9226F87D1E032BB0B957E463482783029A6F45DFD90AB6E01A4796444A91E5CE3F645B2E6D0D2DE599CA389043
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .........z............................................................@..............................................................y...........|...............................................................................................rsrc............z..................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1042.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):37032
                                                                                                                        Entropy (8bit):5.705399423756048
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:AnjRYLOO/iVga5hgnaKWl5t87byoppEThPpIgGxO+xOL/xOBDB3PLj5uqCQSCBYN:ARO/iea5yy5IelPpDEpq2X6lia
                                                                                                                        MD5:EAA3A5C19557977A318BB27A5CD8833B
                                                                                                                        SHA1:D75E57F4C0B305B1610FFB1E545387002EB73A56
                                                                                                                        SHA-256:746DE4DDE78CCC16E6E4DD15E1A36D62A7D4FA9D74D85940BF99AA04459CCF1E
                                                                                                                        SHA-512:0F346163245EE530578FAE13DE7238DF96D52BEF44397DB4411ECBC4972A4CEDE32D610D4D4DAEC787EE91CCAF9014E04433D1D960E021B626784302658F840D
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .........t...........................................................@..............................................................r...........v...............................................................................................rsrc............t..................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1043.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):51880
                                                                                                                        Entropy (8bit):4.4300236950336425
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:wNO/2aLQqb5IZWBL6xmY4AVh3TarMFi+m:wNO/2aBb5IgBL6xmY4Sh3TarKO
                                                                                                                        MD5:F5517017600E899CA404422461B7FB8A
                                                                                                                        SHA1:819124B69C830690433A9FE1D553573DD7A062F9
                                                                                                                        SHA-256:86A1191AF8FD5D476DF8210476A6F4097A7F23E2596DB79B18CC9ABB16DA58B4
                                                                                                                        SHA-512:9700A7BEFFEA5DF04344A25EF731272C6DE58D8C1024E5E40754D0D729DBDF56D918B017227FD36DF15B04944D8146D19385EFDA5A9122536D728A2A2D67B0EF
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ................................................................i.....@..........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1044.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):49832
                                                                                                                        Entropy (8bit):4.464232538419014
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:D1Gw5xO/ZnaDkIMA6Q7wMN1c94EYTrQ6sNkDtJii:D1Gw5xO/ZnaAIT6Q7wlCEYP2kDXb
                                                                                                                        MD5:CD8D886CD68925F95C114C3FA21ED94B
                                                                                                                        SHA1:CEAFBE9A40508A78CAC3C86BEB47F21AE24321E5
                                                                                                                        SHA-256:FDDBDF844B3190CBB1F251CCE4FC607E9B30AD8676FF6CD8123CB3780FFD97C2
                                                                                                                        SHA-512:656BDA40F2BAC24502BF5ABDA35A36E2C3FD252CEAE1E8FEF0A68F8F2CF67E3957BBE357815FEA153A1B7C06AF164DE824499EAE108244272683E60AD37C4B38
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ......................................................................@.............................................................,............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1045.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):51880
                                                                                                                        Entropy (8bit):4.573380965767125
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:ioO/hant9V1iWerIcGWQW4uuHuqILBE8y3dqiyJ:ioO/haOX2tuAdqZ
                                                                                                                        MD5:AD8E8D3CCC42F8976A7BBB4D8A9EC293
                                                                                                                        SHA1:A6A88E0BAB7E4C4B24614A39AF347F93A6D9EEBD
                                                                                                                        SHA-256:442FA90E501CDD28F0207F96A86AD8FBE6A21533962A75792EA5FCB1C2C83B72
                                                                                                                        SHA-512:5177002CBCFBF40B8D3B66CF91D94E7E67153B1C3113061351462334D64B8150DCC96A9DC6558D8387C44574684E6ACCC9CF209477444996487CE1C7A9F3D7A9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ................................................................(]....@.............................................................<............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1046.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):50344
                                                                                                                        Entropy (8bit):4.471039723806081
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:Mn/RYLXO/Ha5CWf4cWvWYzazB0+ZrYhNyLErgrqpRqvSID39WUUWnaCIc3q0Gftm:MQO/Ha5C32tzMAwkK4Dis
                                                                                                                        MD5:7C71C36D2BB0566BFB6293FFF858D874
                                                                                                                        SHA1:C30A8BFEF9755B6AE0283E3438330378E127DA63
                                                                                                                        SHA-256:63B9E6AB7734EDD1E21AD1F2C23736CFF08233A4146ABC6B51B53AFDA186BD64
                                                                                                                        SHA-512:AE8AE09CA0B6127371DE6343B8AB222E2C4F75D5B9F97EF2D846EC4E21C63B1789A024A336768043A2EDC0CF8D1D43B3B4A486C027325FC6214E2E180131623C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ......................................................................@.............................................................\............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1049.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):50344
                                                                                                                        Entropy (8bit):5.011211165315562
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:NnNRYLShzO/WdkYB8sXUJlc0ih/hRYKtWdDFzUWZQpbEq0GftpBjuzo:9RO/ckYB8XJu0G7tWd53Jikzo
                                                                                                                        MD5:A78353780B2EC82F8103C0D57A8E1771
                                                                                                                        SHA1:1F6A0184AB0CDF6F3CE8E1972514D1F7CD5D01CD
                                                                                                                        SHA-256:5796AD08D023F9ADFD870FDBE079D3A819502B57082DFAD90C86AB177603DD5E
                                                                                                                        SHA-512:0E3783171BED0FBC9B68A9C1752F7B5F030B5E777D510D0936D132FDEEA82A8CC0B371C2F15C444589A175F0F64D486ABC0E0A350B483F5956C5B6663E8BC7B7
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .................................................................N....@.........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.1053.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:modified
                                                                                                                        Size (bytes):49832
                                                                                                                        Entropy (8bit):4.48993308396799
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:IydOGO/FnaZkz078Fo0SS1OS/q+GFCsBSixJ:IydOGO/FnaSzAUo0SSOS/q+yCsBSW
                                                                                                                        MD5:151161B0025AFC00F9B8A1881D11B582
                                                                                                                        SHA1:38253EDC3CE268F68A3EB2ABF1C82D7003B6AB8E
                                                                                                                        SHA-256:8BBAEC743F8DF8E3273EBD4378C9DD3F84B0474F4D878CE27CB847B662CEB740
                                                                                                                        SHA-512:3D340909A2B37807B46A94416BD3FED7B7F4CA1E26857F2CDC8E586E88484BCF7301128C396DFE20A6C64BD3446FFD68E0F6F57FAD493DFABB5D9A31D0BFC11B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ......................................................................@..........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.2052.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32424
                                                                                                                        Entropy (8bit):5.728182779024484
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:QPPRYLFFkdx3p4UR75djtQcmSkpOQHW5UWaaCIc3q0GftpBjR:4QFkd5p4a9QcmSkZGIi/
                                                                                                                        MD5:64CDAA4721C6CCBAFD6D2A4E8BD837B1
                                                                                                                        SHA1:6ECD61D137E0EFED59562234A93C6B0952BE4C36
                                                                                                                        SHA-256:80EF35953C1686B68F24C8F0155B44055F607AA47D54AB4B8A263A7B434E2050
                                                                                                                        SHA-512:D4B8E517456C164D928A127775A954A492BB533F3C49574B345D82927CFD42DAE7575470190E79272D9B3AC935BF8B07C3FFC6F26EEB13E854726BB5F175E88C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .........b......................................................k.....@..............................................................`...........d...............................................................................................rsrc....p.......b..................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\install.res.3082.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):53416
                                                                                                                        Entropy (8bit):4.356280752864515
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:yntjRYLhO//aTA+xNN1LeLx++8Ly1UemNQ/KDe5FpRNmWkUWU8y36q0GftpBjlK:yAO//aTA+p1LeLx0LB8uenpIgkibK
                                                                                                                        MD5:EDD4C71DF8EEE3D81D9AAA2338EC8ECE
                                                                                                                        SHA1:4090F1ACCE1D7BB01785CF3D3305E699C9A2C321
                                                                                                                        SHA-256:5A24D09C7DAB6250578840AFBF6EB8F008A22C200AB44CC73ABFA69C04ED62D7
                                                                                                                        SHA-512:F3F708A039EDD985E53FCEC23AE25E71A23511174352FDC2B043754CC6C18FBEB85B9A7399684B4CDCDA4DD7E17588FFD8B5F63ECAA786C06420686BB4412D27
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .................................................................C....@.........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\vstor40_x64.cab

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Microsoft Cabinet archive data, many, 2098198 bytes, 84 files, at 0xdc +A "ActionsPane3.xsd_x86.3643236F_FC70_11D3_A536_0090278A1BB8" +A "AppInfoDocAddInsStoreFile", 20 cffolders, flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1503 compression
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):2105054
                                                                                                                        Entropy (8bit):7.999700742986995
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:49152:HXbGAy9XMAQXGnZkn8SFJ1FxrSO/sh6b9s1FDC2:H6vGXpnhL1FxK0h4FR
                                                                                                                        MD5:929578861CE75212462D6949657F8EEA
                                                                                                                        SHA1:DA34712AA9E9A98E6C0F4C30B597CAED1F39BA38
                                                                                                                        SHA-256:102488FEE2E99AD2F90E29FA13805ED7D04397619698D1DB9EAEFEF67E13486E
                                                                                                                        SHA-512:A074BA6F7A690E639A70BEB340E810C962C400EA286CFA11C9FD11A4BFDB00AE19C94EA614A56E4D92DEA2E83170B42E1AB421FF3B138B5AFDD9FFFE3509918F
                                                                                                                        Malicious:true
                                                                                                                        Preview:MSCF...... .................T................. ..............................>......@N.......x..7.... .......b..............N...$...NF.......,.......S...............................a..............(...................*..............I. .ActionsPane3.xsd_x86.3643236F_FC70_11D3_A536_0090278A1BB8.&..........I.. .AppInfoDocAddInsStoreFile..b.........I. .FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_GAC_amd64..b.........I. .FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_Pipeline_amd64..V.........I.!.FL_Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll_GAC_amd64..V.........I.!.FL_Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll_Pipeline_amd64......V.....I. .FL_Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10_GAC_amd64.enu............I..!.FL_Microsoft.VisualStudio.Tools.Office.Contract.dll_GAC_amd64............I..!.FL_Microsoft.VisualStudio.Tools.Office.Contract.dll_Pipeline_amd64..`.........I. .FL_Microsoft.VisualStudio.Tools.Offic

                                                                                                                        C:\9e8b505ac5bf67d26cfba004c7a3fd\vstor40_x64.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Visual Studio 2010 Tools for Office Runtime (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual Studio 2010 Tools for Office Runtime (x64)., Template: x64;0, Revision Number: {011224A3-6FF2-4548-95B2-8E1F0DCB33F9}, Create Time/Date: Thu Aug 25 05:31:08 2016, Last Saved Time/Date: Thu Aug 25 05:31:08 2016, Number of Pages: 300, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):565248
                                                                                                                        Entropy (8bit):6.203300395032623
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:v0jV7krae+YhOLvd0JYqhwMMDjTUsxKCCDjzsn9v/AlyYFTwSoT5jdSAPLQmlY1Q:vwGfSvd02qhwMMDpUpsh/Ak/7DlYu
                                                                                                                        MD5:CB7DF3525C2FBDB02ADF3CCD4A4C9432
                                                                                                                        SHA1:E070E83A52A4CD6F57E85F6CB3C52BFB82F68429
                                                                                                                        SHA-256:3789F88A27EBD9C8157BC40E8AACD64129EFDF0354F5CDFC7C2212EF37251221
                                                                                                                        SHA-512:69CE2534802802337070EC96CF124488558878B8816C5584B03FB27CC568D7F6FB9001CB576F0E8583DD5578943823D2508CB14741D832DBB0B6F834F359080F
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44aade.rbs

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):46533
                                                                                                                        Entropy (8bit):5.549930908633684
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:ZPWjKAxfwHQXqddMFnyTYaEhR9l4zKYs2P:QjbaN
                                                                                                                        MD5:0F0C3A648306173BF5A242DB196A153E
                                                                                                                        SHA1:FDE3D82F476280AB3A3DD3991F5E370E057F2DAD
                                                                                                                        SHA-256:CC7FAE10E75FB7959CC2363E9A4DEA30B000C42AF0B4F6EA5334B8812BA0C625
                                                                                                                        SHA-512:66A9BF712A582609B5C9384AE7124A50CF6DE3FCFA348B977ADDEBD0C137E0DA715190AA54C994B9E29B7E341658DA5525C9C6A16A0668E2EAF03D04E948390C
                                                                                                                        Malicious:false
                                                                                                                        Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5};.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219..vc_red.msi.@.....@.....@.....@........&.{461C455E-DA40-49B3-871B-14308CC7CEFF}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]#.K.c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\.@....#.V.c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\.@........ProcessComponents..Updating component registration..&.{8453C4E7-26E8-3408-B3A4-5940CA95BC60}&.{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.@......&.{1414BD84-D9A5-3EE5-AA73-118D7C072370}&.{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.@......&.{E2F46933-FF4F-46E0-B997-F64D2C6D4FA1}&.{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.@......&.{529D0A60-398C-38A2-97EF-82FAFA798A06}&.{F0C3E5D1

                                                                                                                        C:\Config.Msi\44aae4.rbs

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):46654
                                                                                                                        Entropy (8bit):5.552815113927644
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:RYyMuCg21kTx9/DoflxL18qHxEh3HNoIkg42Cp:eyMuCg21kTx9/DoflxL18qHks
                                                                                                                        MD5:B34316E5C56D75AC9880682554C8BEDE
                                                                                                                        SHA1:0F8D4353F8032A5D2CE14AC9FCAB41E32FFE3ECF
                                                                                                                        SHA-256:26A22690007867A70A02B37D2BFFB9BE70F8124B31BC0D15BC58248F88C2D1B9
                                                                                                                        SHA-512:5AD9240B22D074903B3DB07C625D89848DFE918C1D49F6E8E220EC91D3DBAF8D772C6E05500B077CAC7A0C5221936D06DE8712D897027EC04CB10C9BFF51D887
                                                                                                                        Malicious:false
                                                                                                                        Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{1D8E6291-B0D5-35EC-8441-6616F567A0F7};.Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219..vc_red.msi.@.....@.....@.....@........&.{80902F2D-E1EF-43CA-B366-74496197E004}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]#.K.c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\.@....#.V.c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\.@........ProcessComponents..Updating component registration..&.{22CD0840-10D2-3F4C-A702-770C23400822}&.{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.@......&.{55AB560C-46D5-3298-83A0-AA1217112368}&.{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.@......&.{20122449-38BF-4F42-B1E3-C77D4B22DB7C}&.{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.@......&.{4EAB55CC-6645-36FE-84E7-0823E5DF6499}&.{1D8E6291

                                                                                                                        C:\Config.Msi\44aaea.rbs

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1270854
                                                                                                                        Entropy (8bit):6.157852843575865
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:CBcqUe3eRbfshwXDpUpQUhwXDpUpQvhwXDpUpQhhwXDpUpQqhwXDpUpQ8:IuR4hwNUSUhwNUSvhwNUShhwNUSqhwN2
                                                                                                                        MD5:C8831E4384255CE41CB74F5CA5B9AC81
                                                                                                                        SHA1:7BD82F3C6BAD5D307C0F5F3186964003A869FD63
                                                                                                                        SHA-256:E5312A14B2DC1B5E639033B0696CCF0A0B2070E924E88408864918B1AB1990CC
                                                                                                                        SHA-512:0BD1A17101C518832AF548CE48AB60CD0F1C8A8991F776D7843375B3E59FD9288D21FED0D59BE0E521082E4A66FBBE03110F8D533AE8A451C2F122766E5CB79D
                                                                                                                        Malicious:false
                                                                                                                        Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{FD9D64F4-CAF5-3D23-845A-B843C78CC1A5};.Microsoft Visual Studio 2010 Tools for Office Runtime (x64)..vstor40_x64.msi.@.....@.....@.....@........&.{011224A3-6FF2-4548-95B2-8E1F0DCB33F9}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual Studio 2010 Tools for Office Runtime (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E2147DCA-DDB4-4245-91B3-ED5EBB2A36E6}&.{FD9D64F4-CAF5-3D23-845A-B843C78CC1A5}.@....G...c:\Config.Msi\44aaeb.rbf......c:\Config.Msi\44aaeb.rbf.@....~...c:\Config.Msi\44aaeb.rbf..?.Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll.@ ....@.....@.......@.....@..........&.{39A436F1-525F-4D9C-95E5-01D682F0FB25}.@.........@......&.{39A436F1-525F-4D9C-95E5-01D682F0FB25}..Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0,version="9.0.0.0",publicKeyToken="b03f5f7f11d50a

                                                                                                                        C:\Config.Msi\44aaeb.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):55232
                                                                                                                        Entropy (8bit):5.301232070002335
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:NA4dzYZj6Tt3jmpuXkGtrfK76lNWg67KGhJSxUCR1rgCPKabK8tBX5PKytZ+7n3D:NHK6TtMGgpFiJi3SYDwnzaEX049zOWM
                                                                                                                        MD5:45865AE1A596E76F4936F67183B7EFC5
                                                                                                                        SHA1:769F5ED3DB900149F8BA44BFBCA7ABA1E4DDB0B1
                                                                                                                        SHA-256:40CE4A852EA5BFC3DC0EDB193770C7ADB83710A54D91431BB2196571BEB8DD27
                                                                                                                        SHA-512:AE842E15757DE731484883B67BDA37BA75D3BEC06A13EC9248F5E7FEFBCDA1B1E8B0BD4C6335B1F325B88D64E54B5A102C47BE68917F0F0A6264E699DCA9DC99
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.R...........!.....p...0......n.... ........... ...............................c....@.....................................O........................'..........t................................................ ............... ..H............text...th... ...p.................. ..`.rsrc............ ..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44aaec.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):45504
                                                                                                                        Entropy (8bit):6.0524302339486065
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:MuvBk39BmxOVst4SCtrpuXYa1pbr/0K7ynKJ9Yu6dnPU3SERztmCJMadMardz/JX:nGfZs5CZqljR6rqnu0z45zayC9zl
                                                                                                                        MD5:C95304E598BEAE252B7F36D021B6A2B8
                                                                                                                        SHA1:6CB5846C09F4F8A00FC3DD2835B3F5080B23539F
                                                                                                                        SHA-256:FCF2370B21418D4DEAD8209767C516EE8B074A093F97551EDFA72979318E2B87
                                                                                                                        SHA-512:F90BCB618A817E432A88A0952C5D1582EDC656758F71A7582D6A8DD12D40071447260117A834A3693C7D350C6374FAE03FBAF41E31DBDCEDAAC9C224B66E72F3
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!..................... ........... ..............................%.....@....................................O........................'..........4................................................ ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........*..0t..................P ......................................v....5.K&<.o.1...../...B...*...[.k............=.W..P&...]}z...3C.)....]...e.?&.wX......1..S......GE......a...jF...3.Jv.z...~:.((.....}....*..0..1........s).................s*.....{.....o+.......s,...z*............(..5...:.((.....}....*.......(-...o.....(/...-..*......(-...o.....(/...-..*..(0...*>.{.......o1...*:.{......o2...*:.{......o3...*>.{.......o4...*2.{....o5...*2.{....o6...*2.{....o7...*2.{....

                                                                                                                        C:\Config.Msi\44aaed.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):87960
                                                                                                                        Entropy (8bit):5.343114416728536
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:ZdVV8XW/FipNGfGBEPz0ceceimOUnabxzr2:ZPlZGQ0bQenYxH2
                                                                                                                        MD5:7F4D23EFCA98AE89B415485573AA7B78
                                                                                                                        SHA1:3D85C073AA545097254461625FDD7AEF24C2DC5B
                                                                                                                        SHA-256:6C38DAC0700FF8578270C45F7112CBB445EEB2DE4A13AFDE722FFFA537622CD6
                                                                                                                        SHA-512:ACB4DEC49D4D980B850237CF5839A5A520557536F31F18A24885324C755F886B98B56703D512CFA362DCA03920DBC31FBF8F4BE5D407DE24B95714A9FEDF8247
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q.R...........!.........0........... ... ....... .......................`......N.....@.................................8...S.... ..,............0...'...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...,.... ... ..................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44aaee.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39360
                                                                                                                        Entropy (8bit):5.941435808788051
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:Pght+fMtSM9jmxa1CFbiKJ9Yu6dnPU3SERztmCJMadMardz/JikPZ+3yW8ZNWbzN:PgX+Etkqs6rqnGMyzabdC9zUyd
                                                                                                                        MD5:B144C05A9D362B0192B82EDD6C78B0A8
                                                                                                                        SHA1:1F7E9E62015909BB2BC65AA02975B8EB2B6446EF
                                                                                                                        SHA-256:4817A4D61156DE72746E710649AA76FE5F096E7D057EA16B8D00B2E734DCB7FC
                                                                                                                        SHA-512:C115858C883960CDE5451B8A0C6031400EC4B5912C0EB733E6B39C74150757BC4B23C5FC9E3F1D977CCB319A69B1E4D23121698F38BA8D6CE8783DD88D026132
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!.....h.............. ........... ....................................@.................................x...S....................r...'.......................................................... ............... ..H............text....f... ...h.................. ..`.rsrc................j..............@..@.reloc...............p..............@..B........................H........+...Z..................P ......................................-...)7D.I.....#p.9...3a....f.}YU.....n..$Yx.&.l...............VZ.9.O...q+.>.JU.....C.zO ..n...W."u@.........J0!.a;...>~%.&N.(......s ...}....*.0..s........-.r...ps!...z.o"....(#...,.r...ps!...z.{....o$....o"...o%....o&....o'....o(....o)....o*....o+....o,....o-...o....*N.(......s/...}....*R.{....o0......o1...*N.{....o0.....o2...*N.{....o0.....o3...*R.{....o0......o4...*F.{....o0...o5...*F.{....o0...o

                                                                                                                        C:\Config.Msi\44aaef.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39360
                                                                                                                        Entropy (8bit):5.937885899125589
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:5QOJrYa7mdessomj5R/yeizfa19lr+KJ9Yu6dnPU3SERztmCJMadMardz/JikPZp:5QOVYoxVUqvF6rqnz0A0pLdza9C9zI
                                                                                                                        MD5:F540B95C7D568209D5DA3688E99CCB7A
                                                                                                                        SHA1:D6B8A5CEC2E7D8363830AB090AB0DC676AA71BB5
                                                                                                                        SHA-256:15D5D45668E2E7638926C631FB165DA8F2E66EB754E4F0A5FC7D3690472BD856
                                                                                                                        SHA-512:1F9EA8BEA3D868F58A26CE4DE33128D5ED31190ED2B346BB681C5FE9EA1EC1761EADEC6B453C918DCAB08AEC2745AA88EAFD0605C20999CF23FC00D2F881997C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!.....h............... ........... ....................................@....................................W....................r...'..........(................................................ ............... ..H............text...4f... ...h.................. ..`.rsrc................j..............@..@.reloc...............p..............@..B........................H........%..._..................P ..........................................{y.h....a.....V[........:f......)..L..Y&<W.].@....f.......'C._W.?D.."..at)Z...4......."..o.....b}.{.>..{.x.z{x......N..{....*"..}....*..(....*r.(......}......}......(....*..{....*..{....*:..}.....(....*....0..m.........}.....(.......2....1.r...ps....z...2....1.r'..ps....z..}......}.......}......}.......}.......}.......}....*.............(.......}.......}....*..{....*..{....*..{....*..{....*..{.

                                                                                                                        C:\Config.Msi\44aaf0.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32192
                                                                                                                        Entropy (8bit):5.851354495548386
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:+52RrrOcCdqEGSGEg67KGhJSxUCR1rgCPKabK8tBX5PKytZ+cZhP8W4XYWqzuHRo:8urKjgEnGEFiJrvPAYzaetL9zHL
                                                                                                                        MD5:AC85D6FFBD1277021ACF95830FF4A593
                                                                                                                        SHA1:E5DE3067B79E9F751B570972823D83D8B19098D0
                                                                                                                        SHA-256:24C1D4DE6C3D89A1F4925C5DA0AC98B6D4A76C880A4D4C56C05C586B4F98D6E9
                                                                                                                        SHA-512:4FB4DDBD8759588276BEE1D2816DF18ECF4301177168AC1F68AAF3AED408C0F124BB004F8325A378A7AA198A039CCCD3C60CE10B03F18F4C28998E59FEE0392B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q.R...........!.....B...........`... ........... ..............................w.....@.................................d`..W....................V...'..........._............................................... ............... ..H............text....@... ...B.................. ..`.rsrc................D..............@..@.reloc...............T..............@..B.................`......H........ ...>..................P ...........................................&..^....._....~..ho6:L.:R....VR.|..{W.K.....?......@.....L...).=a..l.d...U.5&.l...)..h.;O.5r.OR.xgH.o......W.p.5.FPN...1Z..}......}......}....*.BSJB............v2.0.50727......l.......#~..........#Strings............#US.........#GUID........&..#Blob...........W..........3........#.......B...#...............?.......................................2.....F.....u.k.........5.............e.............

                                                                                                                        C:\Config.Msi\44aaf1.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):28608
                                                                                                                        Entropy (8bit):5.861320614095071
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:Up0wdaXOa1F+KJ9Yu6dnPU3SERztmCJMadMardz/JikPZ+819WIYZ3gWGzuHRN7N:40Ka+qn6rqnDGAzakC9zX
                                                                                                                        MD5:EBCC9B3A9223ACB7DFFCCBEB5F766C61
                                                                                                                        SHA1:0E2D91263CC4573A8532A9D13ADD1C0741EA5F31
                                                                                                                        SHA-256:E58259826E56A6AA9135A479F63761E829A1B52E2BB1ABD06D6A47B84A427F5B
                                                                                                                        SHA-512:71C44B596716EA2CD3CAC78F13BFC8EC88F23E215946AA1DBF2D6997FC32CFF022379DB19CE1936C1398D6DFA596946B255C68BD5810DFF73FCEB8B6346AF3F9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...pr.d...........!.....>...........\... ...`....... ...............................J....@.................................4\..W....`...............H...'...........[............................................... ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B................p\......H........ ...:..................P ......................................2BD...{.8.m.E(....>.W.....^............t.......8*tP\.O....C5>.<\?~p..7H..........Epu0Kg...n5V..."....9....Q].C.n,.v.H...J...MBSJB............v2.0.50727......l.......#~..\.......#Strings....l.......#US.t.......#GUID.......<*..#Blob...........W.........%3................I...................I.......................................M.....g.......}.....}.....}.....}.....}.....}.....}...G.}...d.}.............

                                                                                                                        C:\Config.Msi\44aaf2.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):296896
                                                                                                                        Entropy (8bit):5.752379741031557
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:H/0op4WYV7/m3o5777376V7777U77aPsNKIXaXce7mNTp8HWwR/JBMm0CthHvdc:M777376V7777U77aPMKIXaXce7mNTp8W
                                                                                                                        MD5:6313B2BBB6F7388F7F32C01868B96D0A
                                                                                                                        SHA1:4284F6ECE80403C3AC313D7E32F6C891EFB59FEC
                                                                                                                        SHA-256:86FC4D84D4AFB04E011F8EB540A93C9F861FC5B37330073CD5B56320AD627CC8
                                                                                                                        SHA-512:056D8A8DE357C8BC24CDE2DD7C3F665779F1A0DF992F26951617779616E070D38F1CC00FAB976ED283F570AE8DAF616DB3D4EC6FB91DC60326276E7673BEAD80
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q.R...........!.........p........... ........... ....................................@.....................................W........_...........`...'...`....................................................... ............... ..H............text........ ...................... ..`.rsrc...._.......`..................@..@.reloc.......`.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44aaf3.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):120728
                                                                                                                        Entropy (8bit):5.48834391281
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:U4OjG3HW1g/e6TLw8PW/quND/OOw6XSq/KGTEEFBtU+IN7cqKQnslaNk3z:Urjoi6vdu0Ow6tKGfU+IN93slb
                                                                                                                        MD5:FCB1041B0ABBB01FFF7CB7C6AE49C09F
                                                                                                                        SHA1:7BE39E194D5CE9B907975592E157A989DC9A348D
                                                                                                                        SHA-256:DE920B84073CA63D26675517172C8461C33812A597461C44F173908E34B54D2B
                                                                                                                        SHA-512:6F95FD04521AF4891A4D0C3D2D8AA6CC2E3A0F54E6EFF64EBE5EB7C3699A5D2F8FD7321491A3891709116D4335D157FC5BAF5FAE09918F3189DFA55B0A56B941
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.R...........!.....p...0.......... ........... ....................................@.................................x...S.......D................'.......................................................... ............... ..H............text....c... ...p.................. ..`.rsrc...D........ ..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44aaf4.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):159168
                                                                                                                        Entropy (8bit):5.98948717658523
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:Q0anyn/CiBk6HOIz42IJqFF/0/0AWw4rje0RJwh6S:8n+VUqMx
                                                                                                                        MD5:B6478E4A5208703C8F9913B157B293C8
                                                                                                                        SHA1:ED3D29BB6EE042882F31D17E939F353F7E45C67C
                                                                                                                        SHA-256:4E60D213C330D7B8E291E24C1302EC1EE4B184CEDC078442178C69D6A8F97447
                                                                                                                        SHA-512:2E968B854536B15708B97C315877B7DDF6711BBB426FBABD73C5B970DA306393BCA085C56AE97A8643478E77E4EE0E6E57D33FF4ED120E1BC8D80983AF02279F
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!.................L... ...`....... ..............................\,....@..................................K..K....`...............F...'..........<K............................................... ............... ..H............text...4,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............D..............@..B.................L......H.......H....s..........p....E..P ........................................y.i....P.<a@W...a.~D.v.(i..|e.,{.......0dr..#A...phj*......}.J....'.1hf..m....DAJ.<T..@............L.t.*?...m..[8*.|"..J.ov.(.....r...p(..........}....*...0...........{....-.*...(......&..}......*..............e....0...........-.r+..ps....z.{....-.*....i(......&..}......*...........#..e....0............}.....(....-.*r...p(....&.(......}......&..*...........*..e...R~.....(....(.......*....0..;.......

                                                                                                                        C:\Config.Msi\44aaf5.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):153496
                                                                                                                        Entropy (8bit):5.586127674116096
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:SAyIIXB6eUAnH0gUYwlIVkGw5Ll0k+5bcjSbxHT:SrIMFRufsFT
                                                                                                                        MD5:223D77BF33BCE7CE3C00BE3F54D5DA7C
                                                                                                                        SHA1:02A04147FE62A5DD215789F279DF83404C8E95E3
                                                                                                                        SHA-256:1D0981465126991D700724B98326A66DF7FC7BF7431D99740D4E795D28EA265B
                                                                                                                        SHA-512:D569735C77A1417A118A6EB0DAD60EE003C2B7832C9168D62999555ED7DF99FC6BFEE8CFEF0030FF36E9B286619324312A659233F7C4050DB5B0356B1DDB679C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q.R...........!.........P......N.... ........... .......................`.......g....@.....................................S........6...........0...'...@......X................................................ ............... ..H............text...T.... ...................... ..`.rsrc....6.......@..................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44aaf6.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):197568
                                                                                                                        Entropy (8bit):5.792321709829409
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:Mcs+QnXsia21rUBJeImxRGluQriZs+AZZX/kMbr7A:McsrRIHi0in
                                                                                                                        MD5:DE0BD6612073F074514A4A330D08EF43
                                                                                                                        SHA1:D42E376320782A75B241B787B194C6F44E541725
                                                                                                                        SHA-256:D997F8728695FEF4BC271EA54EB461F4D820E980D006C2EAEB68FA70992F6353
                                                                                                                        SHA-512:C18F5D39F2C7D7EBADFBCDF53CEB6565DDD650FF7E7244971053135D95A069D108265CE6AE11F78B9FFE718098A29B3616F6FE2C450FCB6AFEB82777F9C65C95
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!..................... ........... .......................@......S.....@.....................................K........................'... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......xP..T................w..P ...........................................9/....*.@5..........v`..........^.rZ..7....&.}...x\.%...8......o.I..z..'...4...C.I....iz>A`..6.0F...p}.F%....-(.4..Db..0..I........($..............-.r...p....(%...}......}.....s&...}.......}......}.....*....0..r..........(......{....(.............+.+.s'...zs(...z.(......{.........-...(.......(..........{.........-..{....o........*..........ST.......0............{........-.s)...zs*......{....o+..

                                                                                                                        C:\Config.Msi\44aaf7.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):88000
                                                                                                                        Entropy (8bit):5.399074176375856
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:gI/320UJsbta0qhRwfLyCzj8yAziaBmjzI2:gI/3VTqhRqLR8yAOTj82
                                                                                                                        MD5:B3D83CB2427B0D2AA68CDD90E82432CA
                                                                                                                        SHA1:C1D2F23EDDD8C7D945FF4A8A86161E376FB3A552
                                                                                                                        SHA-256:4B925802D063EBF6C54110D53684095126C6E1259C2F3DEC1A306028F24F69D5
                                                                                                                        SHA-512:EF512F10C1417AC6A7A8F7CE19D583A9249EF40E206A9FCEC312C3249FDBC87A44E8FEB60DB0C78E70473463F83E8682259291FCC5F61B681201BD0933195709
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... r.R...........!......... ........... ... ....... .......................`.......Z....@.....................................O.... ...............0...'...@......0................................................ ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44aaf8.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):448408
                                                                                                                        Entropy (8bit):5.880078884667516
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:wNu/UTUZ5+Io0NuaoBR1KGc89rBEXkKNymKfgkLkzArpMaK0I33I+p89GP5AWMJ9:eu/UT4HQ+hpxK1/JFl
                                                                                                                        MD5:529C3F6A3ADD78E71CF6841D8E93AE00
                                                                                                                        SHA1:509CDA9D60534414CDEBA4D1417C679610846159
                                                                                                                        SHA-256:6A42AE7DD9A43F46276CBDBCB5A10D88D667CF36439FF0136D150FBDB89BAED3
                                                                                                                        SHA-512:F3259C435F70268BE1FBBE648B0D3D625D570C20257F83BB5184965990D85361C768542350F9A022084733F9507BEF18ADE1A093BEC35876F4AFEA4C45CE7321
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.R...........!................~.... ........... ....................................@.................................(...S.......x................'........................................................... ............... ..H............text........ ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44aaf9.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):309184
                                                                                                                        Entropy (8bit):5.732418336070065
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:H/3++m0QBrwOMPL8R60SxaS7Qa9CngvwCzD5OnOB3Uxo9GdwFCRcfgc9/w7GvAfQ:H/3++m0QBrwOMPL8R60SxaS7Qa9Cngvl
                                                                                                                        MD5:2185C691C256C9CB84F7AF0622AE51F8
                                                                                                                        SHA1:893A608AEF8C6D0DC787A5F49AE78BF5CEC467EC
                                                                                                                        SHA-256:B72CF43BEEBD58B2EA518C8389EA734A1521ECBB5084BCBC2ED47577B35CBB8F
                                                                                                                        SHA-512:19E1786CC83D5ED2634EF336B4BBD9CC532756E2AA6D6618CA077EF52540B005E81CE6827D88BD431DF05BC82828223BD677233D33B3BE86FA104E968EFE9A24
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.R...........!................^.... ........... ...............................C....@.....................................S.......................'..........l................................................ ............... ..H............text...d.... ...................... ..`.rsrc..............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44aafa.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):141208
                                                                                                                        Entropy (8bit):5.554575244546883
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:eEmV8EKUaX1IrJeE+6pwluGCulHxTqo+UeAS:eEm5azUaxW
                                                                                                                        MD5:16202DF86FC2D8C20025BCE99877687C
                                                                                                                        SHA1:65BDF356935628E14BC999084BB1140CC0CAC82D
                                                                                                                        SHA-256:BC115DAFF66F532EA8B552A9D2F12D28CEFC3C744D14793F66AF45A4AC4F20F1
                                                                                                                        SHA-512:6475AC0272040D53B2B4B5D7F86864CEA278D767626A163373BD1FA61A9C3146802A44279F0660F62A79DB0F5CA918F4586E72F0A6540949C4DF0C0DA9AAB8DA
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.R...........!......... ......>.... ........... .......................@......?.....@.....................................O........................'... ......(................................................ ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44aafb.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):104344
                                                                                                                        Entropy (8bit):5.45866794021526
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:UJr/e6TLw8PW/lTqUJBS0zxRiY+Xmh8GTEEFBtGQglqKA016Ya63z:UJi6vPUL7zxwXmh8Gf99XZY3
                                                                                                                        MD5:D0B7F360F820AC599D6CD6AA92F0C707
                                                                                                                        SHA1:B15680C12A69F52AC4BC775A5D68C9394CB61390
                                                                                                                        SHA-256:8D022CCECE8BACFB5364D8821D6E5F338B0C50C4C88DAAFC16222580C4A26C5F
                                                                                                                        SHA-512:92DF3F181365A775027F4CE81F232FDF931EAD3A04BD4D25F65A3127BAE3CEC0867AD8E63140205F574731F2472413D6784F7748BCCCBA12C1A80A9FC58150BE
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q.R...........!..... ...@.......=... ...@....... ....................................@..................................<..W....@...-...........p...'..........D<............................................... ............... ..H............text...4.... ... .................. ..`.rsrc....-...@...0...0..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44aafc.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):369600
                                                                                                                        Entropy (8bit):5.9130412553975376
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:ryj1tSzreDeoytl65c1NvAbugFh/jLqthte2Seh6kuA8dqop91sq9kAal0rmBKRL:mhoXHoyt854vgxA44AaON5Phx
                                                                                                                        MD5:7BB3E4C827E4648E0B37E153C23E1A95
                                                                                                                        SHA1:D140861A78D38BE0FE88F9F2665F02E41578795C
                                                                                                                        SHA-256:D7258E4AC064B5B2112018653B1B9CD9667ADF36FCC403E63766049E848E1BA9
                                                                                                                        SHA-512:2BE26047085BE391363CC355876D684E869B1C9482FFB56EAF4B96C8E0E4E13C9D0ECB434A22284D18C0DBBC3F1243E18451D73C703338995496520A5AC6FE5F
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!.....b..........>.... ........... ....................................@.....................................W.......<............|...'..........D................................................ ............... ..H............text...D`... ...b.................. ..`.rsrc...<............d..............@..@.reloc...............z..............@..B................ .......H..........x...........p...Z...P ......................................q....<F9.Kv..7...#....".."g.ndQ.9[h.X.(u.....H..~.Z+i<.....(.#q..>{x.f.]8...[....'.]...6.4[|....Q....&.hf....HI}.D...$..B{k..0..'.................r...p...r...p...r...p...r...p..}..............r...p...rp..p...r...p...r...p..}..............r...p...r...p...r...p...r...p..}..............r...p...r...p...r...p...r...p..}................r...p....r;..p....r...p....r8..p...}................r...p....r;..p....r.

                                                                                                                        C:\Config.Msi\44aafd.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):370584
                                                                                                                        Entropy (8bit):5.647787099465128
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:tAUe9MSVBYRApDFen6PZhls5unXIYAH+OguqlRUGl0bbuMe37LfZ+QT/xK6ur6Ep:tAikDFsY3IYU+uojT/xK6ur6EaPef
                                                                                                                        MD5:0B89146B695D1786319662E929B4C0B0
                                                                                                                        SHA1:03DBA7BC79726F3B2A527A59BD7AE2A85760E4A7
                                                                                                                        SHA-256:82E5E2AEF078E90BC89F5045F175A456AC5A7A362807B4B52FC52DBD67F3CE47
                                                                                                                        SHA-512:5FFE3982BF650DF8055840FDD9C7A088CD53F5496E92CACC1AEFC22084F1B635E45A9EAEA628D5D29BB8E807D7884C5B6CAD7BA42229DD64B12CA32D6062B23B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.R...........!..... ...P......~0... ...@....... ..............................p.....@.................................,0..O....@..L7...............'.........../............................................... ............... ..H............text........ ... .................. ..`.rsrc...L7...@...@...0..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44aafe.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):88000
                                                                                                                        Entropy (8bit):6.042154982014731
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:HkrEteCiTny7jWHfpSEZRwsexZG0YUBXfqiGi79dShdUnamwzORv:Hk3gCbzexZG0YUBXfqidchdUnxwIv
                                                                                                                        MD5:8131189E03CBC1E9DA87468B7732FDEC
                                                                                                                        SHA1:AB7975F1190725F4061F57C39BC9D18E36CB2463
                                                                                                                        SHA-256:02BA93D425C5A3C91F5CFD6D0A3910DECE32917BA42FA63403EEA97181304AF6
                                                                                                                        SHA-512:8C0E3FFE02BBC7931A2D375821E7AA6502DB59B7DD65A9592EDD4F2F4EA4A401ACE198A7B11028F1809B587C02854D55878303C0505215F23BAC0F90B504D257
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!.....&...........D... ...`....... ..............................:e....@.................................HD..S....`...............0...'...........C............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......\W..4............U......P ......................................'".j1..=v..K..|.gG..-v.q...w..j ..U).7.W...lBp.K..B...I^.53.qA.HH...3P.*XLbg=-.E...>i22;}.....e.rJY6...[.....E..T.Io.n.mYF."..(J...*..s....*"..(....*"..(....*"..(M...*B...(N.....}....*....0.............(O..........(P...oQ...oR...u......,^.r...p.(S...- ..(......{.....(T...-..+..s....*../...(P...oU...(V...,...(.....(T...-..+..s....*.*..0...........oW.......(X.......(Y...&..*................"..(Z...*...

                                                                                                                        C:\Config.Msi\44aaff.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):45504
                                                                                                                        Entropy (8bit):5.8932046089537184
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:Vc1JB9Xaefxf2ZquXoQGafK6rqnig3Kszanwi9zoL:i1JHXtp+ZquHfiigaqanw+zc
                                                                                                                        MD5:B8D50F4FD1585A709D001AF4AC329AAD
                                                                                                                        SHA1:CEAD6F8C5573727C64E2173EAB3DF005E55B5A45
                                                                                                                        SHA-256:5CD99669254FCC1197A8054A59B5E2142FAF86CB4BC157F58EB244F7583A295C
                                                                                                                        SHA-512:5A4FEC0E6433386842499A7474168B18F549CC261932FDFC215CFA3E5079858E3A2602E592A01A229C48FBBE4C2BECE30C013B1C62C011E469AF90B10C49DB0E
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!..................... ........... ...............................w....@....................................W........................'........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........1..Tl..................P .........................................".&G.>...F].l..x.....Mx;60"s..v.{....O\.OA....9....o.].......#:..,v....."W.....G.f..Q...M..mc.SC&@..&.....Gq.dx.:...~"..( ...*....0...........{......,...o....*...0..)........{.........(!...t......|......(...+...3.*....0..)........{.........(#...t......|......(...+...3.*"..($...*...0..)........{.........(!...t......|......(...+...3.*....0..)........{.........(#...t......|......(...+...3.*....0..

                                                                                                                        C:\Config.Msi\44ab00.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):81856
                                                                                                                        Entropy (8bit):6.078014122014269
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:7dbojRaLEJ2tF0Hdlyw7GL1w1IcT7TXLqdqCOH2W2g4/aZjzE9:BYR63P8dlNGu1IcT7TXLqxfg4/Kjw9
                                                                                                                        MD5:D4781229A386BBCCDE9E8A4AE810AE85
                                                                                                                        SHA1:B68B3B86762F3475C96B0CE5A8A1C00E35EC0415
                                                                                                                        SHA-256:0E50CC80D2BDD674B488C2577BA9567A0E1BDFA5103ECA902952A7A14D2E70B4
                                                                                                                        SHA-512:C6911B1F781A6B71D490967DF65B2B79BD8EC20FB848BA5AA66E8D2D5032496B32DCABFE9F94E58D97AD0958D26ECDA73904793615F8DADA414310327FDB1120
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!.................-... ...@....... ....................................@..................................-..W....@...................'...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........Y..P...................P ......................................TYW...f..<...3......J%y..........K....n........f...%...Cv,J...o........*..6...g......=..Yta...qRi|..a..<o.U...g<x..T...0..M........{....-9.(>.....,/.r...p.....(?...o@...oA...u......,...sB...}.....{....oC...*~..(D.....sB...}.....(....(8...*j..(D...(7...-..(....(8...*.0...........s(.....*..{....,..{....oE.....}.....(F...*..0...........oG.....oH.....-,.,)..$...(?...o@...oI...t$.....-.*.-..(J.....9.

                                                                                                                        C:\Config.Msi\44ab01.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):92056
                                                                                                                        Entropy (8bit):5.570355460301267
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:cUy56bAm4HNNN5AU+QO2TFvKe/elIQcmEtli/G//ZgUKtmOova2xzrW:su4HNNNmdy9EUIG/qlY1vhxHW
                                                                                                                        MD5:7E27C777BFACE2443E9EAF1186E22E8B
                                                                                                                        SHA1:16744988BC3A1FB546579B4CDF72A86A5B9CECCD
                                                                                                                        SHA-256:330032784435900C84747103AB0F8FC4D6953DF421FF6F53A87D49DEB1EBAF1E
                                                                                                                        SHA-512:40C34F355F342554772D846C646C638DBCC90AE5A16CF7F20B256739F1B58CE09EF28FBF50381E470BE6DC4E46944C0CFB389D2F4176AEFBAA621FCE0C4A5E9B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.R...........!.........@........... ... ....... ....................................@.................................D...W.... ...#...........@...'...`....................................................... ............... ..H............text........ ...................... ..`.rsrc....#... ...0..................@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44ab02.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):59288
                                                                                                                        Entropy (8bit):5.1377952848421815
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:M6l8HKAMs/+24E7r8LVGUFiJzFDQ/zaQoN99zrF:Mk8HKs+sr8LVGfxG7afxzrF
                                                                                                                        MD5:D51EE860C0603948FF82879664FCA174
                                                                                                                        SHA1:D13D829E4D88466C6A8ED59B6948A6A68B813048
                                                                                                                        SHA-256:A8FA776F1560701FC6F31EE9AC13E57F3CF9F0EA22EE9B58680C18B09A206547
                                                                                                                        SHA-512:3729150F52365657E7C005A41B23A20E17266581302CF8BF615C418A71E1DC9DD63C2438683BA01FCDF47BC7017AE5B08419AD8C893B7F3E533086DDB20A4028
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q.R...........!.........0......N.... ........... ....................................@.....................................S.......L................'..........L................................................ ............... ..H............text...Tq... ...................... ..`.rsrc...L........ ..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44ab03.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):28096
                                                                                                                        Entropy (8bit):5.894464521669191
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:t3K6a/IZa1uKJ9Yu6dnPU3SERztmCJMadMardz/JikPZ+CDWb5pWlzuHRN7tHR9R:t33q16rqnLuMzatx9zUs
                                                                                                                        MD5:C2FBDD977688C721969E84772D982C13
                                                                                                                        SHA1:87B3FB758FF8E9FB624BA0749EDF44697F70F8F5
                                                                                                                        SHA-256:C8072A848EAC7DA8B2CFD2566D5CDC41501C95A641C1C4B2E3D67371C982CF22
                                                                                                                        SHA-512:B6690C27FB2BFF5847F314E61F8B9C8E096D2DDF0C7540E669D4B17F51DCC00D20B74456C6F720E158B4362BF0250CF4A6AE7B643E776F90022AB4194E858595
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!.....<..........n[... ...`....... ..............................y.....@..................................[..O....`..p............F...'..........lZ............................................... ............... ..H............text...t;... ...<.................. ..`.rsrc...p....`.......>..............@..@.reloc...............D..............@..B................P[......H........ ...9..................P ..........................................[.g...a.O..s..'.L.U..%.OW....Q.qm(.b...}.oF....B....)a.0;W.~l].t)-.Q|...5 ........A|}..X..%==..7...bd./....{...n&..c.9.BBSJB............v2.0.50727......l.......#~.. ...D...#Strings....d.......#US.l.......#GUID...|... *..#Blob...........W.........%3................I...................I...............................................................*.....H.....a.....z.............................$...

                                                                                                                        C:\Config.Msi\44ab04.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):47000
                                                                                                                        Entropy (8bit):5.088452369159424
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:TQK7QQZbXvJ5qCmIG7g67KGhJSxUCR1rgCPKabK8tBX5PKytZ+G6reVxW8H7WEzm:XbxjG7FiJH6a1jzaHG7Yl9z5
                                                                                                                        MD5:6BC5D79BBC9CEB6CBDDB524827E247A9
                                                                                                                        SHA1:35CD60F8E49E8518FD0A6835B4F85E89CE0B1DAA
                                                                                                                        SHA-256:2D7DC7CD3550B65E76A9557EAA032B2DF1BC4900CB3DEFFBF647B93154E321FB
                                                                                                                        SHA-512:2EA4736132158A6334FA76AE5A8CF1849C6D984DAB627BBF40BA86F605B38A2C21850D000F3DBB96670B4DDB07656391A2ED0A5CAB3FDBE6E5FDAF8BBFFD5E65
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$r.R...........!.....P...0.......f... ........... ..............................q.....@..................................f..S.......L................'...........e............................................... ............... ..H............text....F... ...P.................. ..`.rsrc...L........ ...`..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44ab05.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):63384
                                                                                                                        Entropy (8bit):5.225545395024719
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:Yy8H8QhPyUv8whq+927kgF1fGguNnJKIZ6saq3z:PZT1fGfnJrUsP
                                                                                                                        MD5:3DE853E5B538EA1523C188EEB083D585
                                                                                                                        SHA1:D54360DBEC836A277B8CA30A7E86CDFA1FBCEABA
                                                                                                                        SHA-256:AA47A699D7A11CD424B143DF8DF85226FB588D5BDD8E4E5160267C2E2E3D6354
                                                                                                                        SHA-512:DDE5F1D9C7E52E967DC1DA43BB447B91F952B6CE90088DF03C28D006EF765AD724710046E2A3F2518BC45D11DAB567A9E93334936411F68420E2C39C011D9D94
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#r.R...........!.........0........... ........... ...............................{....@....................................S.......D................'........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...D........ ..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44ab06.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):47000
                                                                                                                        Entropy (8bit):5.105632016039221
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:C5Qndl5IG9g67KGhJSxUCR1rgCPKabK8tBX5PKytZ+GwE/778UWj3CWFzuHRN7AK:8G9FiJHF/cJJza8G7Yl9zfMQ
                                                                                                                        MD5:B72526FF560D0A7F40F44F88D0D59C5A
                                                                                                                        SHA1:B13CBA002614272BCF5FD3FF51600A7E87AC202B
                                                                                                                        SHA-256:3364DF953E9C7305CC8804A378438453F324345DE9BD55EE367B83A9F266D193
                                                                                                                        SHA-512:17E1F88538EF6F31D3EB172FD697A2DF6ACC41DB279EAC38EE8FEEB3AA01D93412915DC4F35AECE068F58DFB6845DFCC5934D88592A4A6E8FB50CB4E59153009
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*r.R...........!.....P...0......ng... ........... ...............................S....@..................................g..S.......T................'..........\f............................................... ............... ..H............text...tG... ...P.................. ..`.rsrc...T........ ...`..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44ab07.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):75672
                                                                                                                        Entropy (8bit):5.501885877652137
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:Ypvk2mCtNGNMGfRfESSgOX55uKG/SmawWQieNar3z:QkEGfR8SSgOX55uKG/SmaTENC
                                                                                                                        MD5:2058EAF207EB3DD03105608C0D61E295
                                                                                                                        SHA1:7653EFBA2999AA91ECD4FCC29E743CD9538FFFDF
                                                                                                                        SHA-256:769F9FA00BA9971229EA03980D8A36FC29135B1AC58CF078AAE87440F3003525
                                                                                                                        SHA-512:EF191C51DCE32202BBFE82BE27A60BA5E483477FFE51F28E30BF10D5AFEDF07C08D0473DBC182EF6A67558A8DF930F5DE7AB86AF93496C2A3659AB62572DB395
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&r.R...........!......... ........... ........... .......................@.......j....@.................................D...W........................'... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Config.Msi\44ab08.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):67520
                                                                                                                        Entropy (8bit):5.9839998336806515
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:Rc7HHzMKpyGZ3Jr249XJqZqNbPUa3qwzOg:Rc7HHzMDG5JdJqZqNPU5w5
                                                                                                                        MD5:68F2FAB7A5B7267B9174017056004307
                                                                                                                        SHA1:1CCB99FA32676A5E42C8204A05A0860865C4C6BF
                                                                                                                        SHA-256:61B358B2BD85230C7FF3019878D721715454CDC8B48C1FC26DCA04B0AD08F165
                                                                                                                        SHA-512:A236FCE44CA1F9B46C59219EC11ABDD21C244E260613CB32A55FFF3D88357CDF48820AACA8F724957B3EC16EFEA2CB45F9746714975A4E206263669FC7701279
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!..................... ........... .......................@......z.....@.....................................O........................'... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......@B......................P .......................................G...9{v......;..[...5/..l.....b......h.#..7.....~*0}...K[....U.H..v.C.< ..nv..a.[t..\/..nO*....Dp.;..<...k.g.v.....d..~..:.(8.....}....*..0...........{.....o.......(9...&.*.................2.{....o....*.......(:...o;...(<...-..*..(=...*..o>...*"..o?...*..o@...*R..(.....(A....(B...*....0............(.......(C....*...................r.{....,..{....(D...&..}....*Z.(I....,...sJ...}....*"..("...*"..}...

                                                                                                                        C:\Config.Msi\44ab09.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):66496
                                                                                                                        Entropy (8bit):6.035705182194201
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:ran8MPqcyyaZM+TeVCB5+G9cTvdQc1bqMsej2FBD79apjzPgt:NMPG7wqvD79KjTgt
                                                                                                                        MD5:CA065A99A257277D836F982B6BFC4068
                                                                                                                        SHA1:9C8BAE7E18B4A4FA1421A0F78B2DCEB9A85BA69D
                                                                                                                        SHA-256:FC43B8C1B13534E166EDD174D025706C4C33E644F414B8E5D2266D00E7288609
                                                                                                                        SHA-512:6A7768B2285BE7A196D9E48C3851ED2A594725D688894B4BBCDDF86723722D1D805978F5C25060B881640DC645A624B3B9327B4390759EFF14B009BCCDCB0FEE
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.d...........!................N.... ........... .......................@......B.....@.....................................S........................'... ......4................................................ ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................0.......H........H..T...................P .......................................ZJ...*....\....J....1.....|....e0...$Q.H...p.g...C.N....p.g.j..x...=...c......V..9...Y.8.KUUT*."...j...(..V..-_=....C..0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*:.(......}....*.0............o.......(.....*...................:..o.....(....*..{....*b.(...........s ...o!...*b.{...........s ...o"...*..{....*f.{....-..,..o......}....*.

                                                                                                                        C:\Config.Msi\44ab0a.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):86464
                                                                                                                        Entropy (8bit):5.721005866009677
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:H4VV8XW/Og9NCJ7qBEPzm92yCAWVaaE+zT:ydWqQm1VwaQH
                                                                                                                        MD5:C1059B1771C42C56132331A67961E997
                                                                                                                        SHA1:51C462422C370F087AAE4783238340A90474B121
                                                                                                                        SHA-256:77D99747306A8546E7E5ABBB0CD251552995F6B97ACF508B090CD5CE2577D0A7
                                                                                                                        SHA-512:32B68D976A637DED5E7FAEA4CE5613BBB23AE45220E1076F40AA2778B79D25E3FBBC5712E5B1814306D20D91A5C2C1536E100C75F080C6A4403AC702C1EEA561
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...pr.d...........!.................)... ...@....... ..............................fA....@.................................d)..W....@...............*...'...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......(..............@..B.................)......H.......Hq..t...........H<...4..P ......................................Q..Z..'.q....P.s..H}.ZF....a .P...>..d..R......i... .nA.....:.qU.w.?.?.A1.-..Q.Y.Ukj....0a..F.?...H.~..........3.....ZY...6..(....(....*&...(....*&...(....*...0...........-.(....*.u....,..o....*.u0...,!.o....,..o....u....,..o....o....*.(.....s...........+ ........o ...&.(!...o ...&...X.......i2.r...p..o"......&...(!...o ...&..o ...&.o"...*..................0..A.......s#.....-..(....o$....o%...*..+..

                                                                                                                        C:\Config.Msi\44ab0b.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):209344
                                                                                                                        Entropy (8bit):5.881434766967219
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:H0uKb2fEejyG2iPklibcruOVTzk21wxqWX5bKn8p6/h/C9hrrBbQBt44DOhT:U8cXqcfAKFC51
                                                                                                                        MD5:4285447473404F11A13749C777D15240
                                                                                                                        SHA1:3E1D31C9DA1BD7BBFAE958BB5C66633CFBF5821B
                                                                                                                        SHA-256:B7B71E3030DD21E9BB41DE47F4BA505B7E0FB794584E0D7E8B72D593DF6E95A3
                                                                                                                        SHA-512:818004236FF8290E5BF619E3EC77013D8435EEC8D5E7E7D0EEA079FD7C585CE431EF4EC25D2E8B450F231FBE2946C0FE6676B88A75B75649F51737BC010BB182
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...yr.d...........!.........N......n.... ........... .......................`............@.....................................S........J...............'...@......|................................................ ............... ..H............text...t.... ...................... ..`.rsrc....J.......L..................@..@.reloc.......@......................@..B................P.......H............................E..P ......................................)K."p..M!M.I....m'......?.....!.1.A...QJ...Y@?t/".w+...8..R...R....g.^D.h.-1.$.......yA&(8.V.8.....k..y..s|w>..M..:..e.m.v.(.....r...p(..........}....*...0...........{....-.*...(......&..}......*..............l....0...........-.r+..ps....z.{....-.*....i(......&..}......*...........#..l....0............}.....(....-.*r...p(....&.(......}......&..*...........*..l...R~.....(....(.......*....0..;.......

                                                                                                                        C:\Config.Msi\44ab0c.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):205760
                                                                                                                        Entropy (8bit):5.7507205205431475
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:krFKDbAtgNrfAw1bsO8YzN2HsBpmxRGlu6rirK+3/y3zMFGt6LhE:krFAoOXcHfIfiXHdLW
                                                                                                                        MD5:BCF45756AF5D9FFD3A34348EB13C5E64
                                                                                                                        SHA1:7C21BB27A8122D5C0FEE607165444CAA5159D7D4
                                                                                                                        SHA-256:E656400A2DC97E208BA9D43F85E0624461C95D1483DA209A540D43B4ACFD391E
                                                                                                                        SHA-512:20CC7418ED8E825DD5B38E3CC36D00948F78BD60C39D57E22B6E9CC1AE6DFF96DCB70057342E156D8D29808F99E1813C18502E47E95AAC90B38E4F6F24842872
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!........."........... ........... .......................@............@.................................<...O.......8................'... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...8........ ..................@..@.reloc....... ......................@..B................p.......H.......HT..D...........x....w..P ......................................{...._6..UA...~.YH..".<~8.<p*...?i.F6..v.5B..y0+.eI....8.`...........!...a..109.u.......8.../[...;...M9[.i....HJa[s.T..S.0..I........(%..............-.r...p....(&...}......}.....s'...}.......}......}.....*....0..r..........(......{....(.............+.+.s(...zs)...z.(......{.........-...(.......(..........{.........-..{....o........*..........ST.......0............{........-.s*...zs+......{....o,..

                                                                                                                        C:\Config.Msi\44ab0d.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):31680
                                                                                                                        Entropy (8bit):6.286896958345261
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:dHaVFSvPSNEtyJvrpcf9qjHRFzanHji9zP:J29rfTRNaD+zP
                                                                                                                        MD5:EDE25E7AE157D536A766F28D88E94814
                                                                                                                        SHA1:96447520791A02C953D8E5AB0B89593BB861505A
                                                                                                                        SHA-256:3786CE2C006658DD30F5C919E561D4BEBF5D02BCDFCA7C82E5108C551884DBF3
                                                                                                                        SHA-512:E2178E9C5477000F9432C25AD16DC1BED6C82F2104186BC955DA35B83BEED053124FF995FB07611DE7916D94664536DF4198FED4DA743E08AE72C9B230917267
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zr.d...........!.....F...........e... ........... ...............................%....@.................................te..W.......(............T...'...........d............................................... ............... ..H............text....E... ...F.................. ..`.rsrc...(............H..............@..@.reloc...............R..............@..B.................e......H.......89...+...........)..g...P ....................................../.e..Ke...E......!.G.zp+/.}..eR.)3B.EL.;.d.tV....L^x.&.....)....,.\..:U.kz.|I..I....V............7.#....E...)yX.u...JC..U:.(......}....*..{....*:.(......}....*..{....*J.(.... 4...n(....*N.(.... 4...n.(....*&...(....*.r...p([...*..0..#........r7..p............(Z... 4...n(....*..0..$........r7..p............(Z... 4...n.(....*.0...........(...............,..+.~......( ... 4...n(....*...0../........(..

                                                                                                                        C:\Config.Msi\44ab0e.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19392
                                                                                                                        Entropy (8bit):6.547558348560535
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:RA1LtwmrH+LdTmkW/JwWvCzuHRN7j+Hj+R9zo8LnH:RA1kdodCzaSHji9zdLnH
                                                                                                                        MD5:4DCCC1DE0945DE59DD8DEE684A513334
                                                                                                                        SHA1:CB0AA6DECA4AD26CF1D79B7203F02BBA59BE5A11
                                                                                                                        SHA-256:2F7532355034DA667C0DF7CA5D54B24601074346B9EA2D2305B2676D9E577C7A
                                                                                                                        SHA-512:D62A8C0D19C9D7A9730F394755533D83B5EC83C1AB9E79CBC5E2924EA79F414CB616F3DD3BBCE55BC3F89704921FB6351ACC92B6F709ACEC063DD189DB4759E6
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nr.d...........!.................1... ...@....... ..............................@.....@.................................41..W....@..,............$...'...`.......0............................................... ............... ..H............text........ ...................... ..`.rsrc...,....@......................@..@.reloc.......`......."..............@..B................p1......H........ ......................P ......................................2==..$y...>....E.^...A..*.m...r.<d...<..N......m.....Z.X[</.{..}.P^.d:...w.P<:Q|.CpZ.+-.K....1...7.........@t.Y.......BSJB............v4.0.30319......l...P...#~..........#Strings....L.......#US.T.......#GUID...d...p...#Blob...........G.........%3............................ .........................................].C.....|...........................).....B.....[.....v...........................

                                                                                                                        C:\Config.Msi\44ab0f.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):95680
                                                                                                                        Entropy (8bit):5.991175200260341
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:Zy+zGztUjm2oNIv5oiIZZ18CRD4fsab2ez7of:OzhNw5mTAsFeQf
                                                                                                                        MD5:D1C264CDE6E566C12FF6623331EE941E
                                                                                                                        SHA1:B94FAC1BB21C1F9ACAC8E8DFC9F84F5854F2A567
                                                                                                                        SHA-256:6370E60ADC74AC1C8AE7987C8F059F1069F4D8A24725886A87EA75FD3A1F8951
                                                                                                                        SHA-512:140720F5CD0F03C93D3C37C74D172D08EEE0F5019134A38ABAEC1DD67DEC3FD18E9D399F6D866E89D774B382978D4A294B6BB94E6D6D67B1DF0289B19571D5C9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!.....&...&.......D... ...`....... ...............................z....@.................................PD..K....`..."...........N...'...........C............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...."...`...$...(..............@..@.reloc...............L..............@..B.................D......H........ ..."..................P ..........................................`.E.;v.m....f@.......].cmS....Q9]....../ ..%...w3.m..L..P.k..Yp..yL.m..8U....2...f...T?+......|.LJ.._5.q-+..R)|...BSJB............v4.0.30319......l...|p..#~...p..0?..#Strings............#US. .......#GUID...0....r..#Blob...........W?........%3............S...!...k...1...o...#...................`...#...:...................................................8.....8...............<.)...H.)...N.)...

                                                                                                                        C:\Config.Msi\44ab10.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):175552
                                                                                                                        Entropy (8bit):6.105410883689105
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:L/WwMr8CSQ0dd5Xqp6J7OB6530Xgb3m61EC6r2vamjxBAZirkVrri:L/nMr8CSQ09ap6Jy65Rm2vVp
                                                                                                                        MD5:56BB12647EEE2DDBF7972B8788F286F6
                                                                                                                        SHA1:FC5D3BFD491B9B312F552A386CEBA6B200E42CFC
                                                                                                                        SHA-256:21F3CA5B68423C5134BFC2300EEDC89E94F219CE9B9414FA6C8C8FBBD3C003D9
                                                                                                                        SHA-512:FCD611C26BBD1F2EBC27BBAB5CD32B41C3E0A1EFDCEBB254655DFE22420565FC53B80A819998A744D63AA67C52C22092C1A02E535B13208F07652E425B6312AB
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!.....r.............. ........... ..............................o.....@.................................x...S.......\................'........................................................... ............... ..H............text....p... ...r.................. ..`.rsrc...\............t..............@..@.reloc..............................@..B........................H........ ...o..................P ......................................0.4..!../........d_....a%..6../O.$b?.p)..F..|.y=#x.p..1.B4...)_...xK..U..)Sem...U.........w......."{<.l_Q.L>..#..g......BSJB............v4.0.30319......l....4..#~...5..h...#Strings....t.......#US.|.......#GUID........y..#Blob...........W?........%3........7...a.......^...[......."...........6.......s...!...............................[.{.....{.....{.....................!.....,.....?.{...J.{...W...

                                                                                                                        C:\Config.Msi\44ab11.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60352
                                                                                                                        Entropy (8bit):5.986296566759983
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:QRXrTM8QOkqNHEJLgp9DItLnKDiQ0fWS24LbxocNAwkEGjhl2BOBaBnD/sxFsNOw:vSk2HQq9DwbW3a7wzOd
                                                                                                                        MD5:3D9CBC9C8E830A6F2DF301A53EBE3308
                                                                                                                        SHA1:7E521ADFD7AFE7799CE7BA89B611F1A209CAA1F2
                                                                                                                        SHA-256:0BAB7DB24AB15964E2908F582C4B7DBD892F774E95CD38675F1BF70C4D9D7D8D
                                                                                                                        SHA-512:C8BB6E32FB74EAD85C4AA8C9A534745C0862430BC89A1C84C8FEA027D84DCA3A5C68A29841649D52A07D90C9513B7A5A7832DA7A4453DE1FC5D343B23E87CB0B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!..................... ........... ....................... .......*....@.....................................O........................'........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........ ..@...................P .......................................6.[?...-3i.n....Q.=.c.r.n/.l.3.....P./02..F..../.....)u..w.A .]b........$J...6eQ.......5Jn)5..Bot.............. ....8..WBSJB............v4.0.30319......l....6..#~..p6..l$..#Strings.....Z......#US..Z......#GUID....Z..LI..#Blob...........W.........%3........A.......?.......b...,.......4...2...............:...p...........................-.N...e.N.....k.......................................'.....3...

                                                                                                                        C:\Config.Msi\44ab12.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):145856
                                                                                                                        Entropy (8bit):6.220299190046452
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:ZrwVY+eaNZzPM8s08xsNj4SwAXK7Vs2gM2HOI+rCoUlSLhN:ZrwBZWkge7DuB/mQv
                                                                                                                        MD5:FD47EEC6E9DC276D0814296D0BF936B1
                                                                                                                        SHA1:6DE1033F3C5DAA9028985CE551960B9FFFAED130
                                                                                                                        SHA-256:37CBCEE1AB36849E8F26EBAFE7B712BFCFD01D07FD8688BF85E53F4AB6E91AC8
                                                                                                                        SHA-512:3AE9F30D2B7673663F44A396DE5D1BA5DC3E25144B43AE1F53803CDDB6BF1C0F872FF8C63CF14B949D31A869937ED7E3BA585BC8E6D59412F8395A2C75A2C89F
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!................."... ...@....... ..............................L.....@..................................!..K....@..h................'...`......<!............................................... ............... ..H............text...$.... ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B................."......H........ ..l...................P ......................................]i4....|..[.d"..S....Lr.1..&...+.h.b.Xb...H.v.0xf......'........}>.....".;....&./...;."&..?..U......b.........VjRE.H.NO.BSJB............v4.0.30319......l...H...#~.........#Strings............#US.........#GUID........a..#Blob...........W?........%3............5...^...?...............t...............@...&...0...........................l.................9.$...i.S...}.L.....S.....L...................

                                                                                                                        C:\Config.Msi\44ab13.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):362944
                                                                                                                        Entropy (8bit):5.778636910203541
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:cNeM8oM6s8alZ+afj5OAKOQ4pUE9wCtbVI:A9QZ3j5gOQ4pUE9wCt5I
                                                                                                                        MD5:D11EA7DA1C6290B38DBC7AE338B42306
                                                                                                                        SHA1:DA1CDA8E05339BF9D8BED95B5C466D84003B9541
                                                                                                                        SHA-256:69E293FD3D391DD6342DA7A2427A7AE1C8235DE22413DC12EF2178FFB142FAB1
                                                                                                                        SHA-512:931B706AC360A5EB4F669D7956B7029B993882BC895CE5966EF7B4EB7AE95F40F0775B3323B2A2926EE2872755B7BA4A15D36AF34D8A197AE69507AC750B4B9E
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!.........Z.......$... ...@....... ...............................9....@..................................#..S....@...V...........b...'...........#............................................... ............... ..H............text........ ...................... ..`.rsrc....V...@...X..................@..@.reloc...............`..............@..B.................#......H........C..4...............,n..P .......................................0;.....E..nSP..6W..X.....=RQe.._!%..k.......)Z..n....}.R..,|y...........8P....h.6.o...2.......i'<e4.d|%D....$V..M.(.l.e-v.(.....r...p(..........}....*...0...........{....-.*...(......&..}......*...................0...........-.r+..ps....z.{....-.*....i(......&..}......*...........#.......0............}.....(....-.*r...p(....&.(......}......&..*...........*......R~.....(....(.......*....0..;.......

                                                                                                                        C:\Config.Msi\44ab14.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):470464
                                                                                                                        Entropy (8bit):6.0450815473537265
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:I6g4wRumoEBSvGpDMCDC1AW4e+TF/AVaqmRQGtIhyjmDs3lNiKHUVs:I6jwRSvQh42RNjN6dVs
                                                                                                                        MD5:B0440E485726D621A0E7BBEE036590B7
                                                                                                                        SHA1:BBAFAD853DB43F265AA20850B3F5E827E4F72337
                                                                                                                        SHA-256:4A15B38464ED62825E7F34E2839C3F8E2FBD26BF061B1C81EFB7720E08BD1B3D
                                                                                                                        SHA-512:9F46FD2C9258D17A00C8C5D611903900D20DDA352AB0C9AEDD255589D093672630DCCF52DABB8692D2AC988A6E8D461CE2EC5C67790296F2AC296DF607E4C498
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!................n.... ... ....... .......................`......}C....@.....................................S.... ..0................'...@......h................................................ ............... ..H............text...t.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................P.......H............;..................P ...........................................z..Y}r....a...b....Va.k...9sR.H....]...rIf..I....{...7r....ZZ.Jv.Z6O..cB.8.."..6.{........v...0...#.[....).z. .....|.0...........r...poc.....,(.o_....1....r...o`...,....r...o`...og....r...poc.....9.....o_....>.......r...o`...9.......r...o`.....oe.....s.....s.....+,.o.....3#.o....r4..p(....,...rH..po....o.....o....-..o......+...(.........ob.......,...og.....(....-...........o......og......,..o.

                                                                                                                        C:\Config.Msi\44ab15.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):143808
                                                                                                                        Entropy (8bit):5.914742366814112
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:I6jLPfRUqxc0O/t4DErSu9e7EMaggaqRfDPRoTCMdaIwzOmJ:I6fPJUqxy14DEF9e7D3gaqRbP0tdnwtJ
                                                                                                                        MD5:52C61DC3E5A940B44B01F23C540A1275
                                                                                                                        SHA1:43B3BCD7750288BC2FF85937442AE73E817E9CDB
                                                                                                                        SHA-256:EB18F51FC9ED41EB4657D7FD38BC13A631E6520AB9A559742775C3DBE1AF299B
                                                                                                                        SHA-512:628408518C4E0EE4DA142D4B3784B85B0C1D8A17BEC492EF439C8763913154737FD001DF7B874FB9F22725331B51BAE055BBCA5B3D2A388D11D458B557F1590A
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!.........0........... ........... .......................`......a.....@.................................p...K........-...............'...@....................................................... ............... ..H............text........ ...................... ..`.rsrc....-..........................@..@.reloc.......@......................@..B........................H.......<v..............0Z......P ........................................m.......ZK0.`..E..=w.9.nZ....].mr./^.lXn.z...li..E4Z('8a..V..D~*.^u_....Z.8^...";..Rx.'qv.r..W<.W.... 7..."$T.>.c5....|#.&...(%...*...0..,........-..(&...+...-..('...+........((......s....*.s....*"..s....*"..s....*.si...*......sC...*.s ...*..s!...*:.().....}....*...0............(*...,..*.o+........(,...o+...(-...,6.{....-'.{.....%...(,...o....t%......s....}.....{....*.o+........(,...o+...(-...,..{.

                                                                                                                        C:\Config.Msi\44ab16.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):346048
                                                                                                                        Entropy (8bit):6.005191330158927
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:+00ASicZpLom0Wy0iwsC+KHIVKbHWuFvUOLKZXXZF6jJfIMRFxtZYg7eyXgMly3k:qlRAWy0iDCyVMvUYKZ+JICHNyPOw9Yik
                                                                                                                        MD5:09F984329E3B44D747D3F6CDA6B2A6BD
                                                                                                                        SHA1:FA13EE660655D1008AF47B1189CB6791F4F82B9A
                                                                                                                        SHA-256:6D3AACE3DBE7075EAA96AEEBC32698631C685A3E0EEC36C926B3C5F72FF6E61D
                                                                                                                        SHA-512:D2E744F7D728952CFD2D44848848FD2FE8C0762BC544FC7AA86153E4D65F40A785A3A65C9F724B354738C7943E6BB6A39C183A66F3332C38B1747C62F209F48F
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!.................4... ...@....... ...............................I....@.................................P4..K....@..0............ ...'...`.......3............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................4......H........)......................P ......................................0.&..l..-..{8.D.7.... N...<.D.{..P..b..q.g....$.s..X...9{..(.R.~M ..8.%..:u..-.C.q!..y..*..6(Z.l.MLHyv.o0.}.+mf...r.8..dIZ&...(~...*..s....*&...s....*N..(.....(....(....*..(....*..(....*.0..3..........-..(....+...-..(....+.......(.....(.......s....*..-..(....+...-..(....+.......(.....(.....s....*..-..(....+...-..(....+.......(.....(.....s....*..-..(....+...-..(....+.......(.....(.....s{...*..-..(...

                                                                                                                        C:\Config.Msi\44ab17.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):80320
                                                                                                                        Entropy (8bit):5.681725827555387
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:l7skby0ayhkM+TeVCB5+G9cTvdQc1bqMsDtbX8pangNizFaoXwzOpZ:ZDbyihcwqHAagNKFhXwW
                                                                                                                        MD5:74F3617814CDBCC445BFEDE5C7C9EBA4
                                                                                                                        SHA1:423B46A2B8BA446FF4EDE8F8925AFEB71D00BEFB
                                                                                                                        SHA-256:46B85DDC9249A5EBE83D2545E0C263E2A578EFECE493C94404C0C3E7232FA3BD
                                                                                                                        SHA-512:C3E54973F92652FC35AD8A42E5E5BD089C7F4ED24CEDE24E1B47705C67CCDE91D62D64C8189EEAD6B7A01D68EB39AC4CE6B285CCD85A7F88814479431BF905F4
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.d...........!.........>........... ........... .......................`......>.....@.................................h...S........:...............'...@....................................................... ............... ..H............text........ ...................... ..`.rsrc....:.......<..................@..@.reloc.......@......................@..B........................H........H.....................P ......................................$.=\.7&,..n... ..C._.!W..>.`M...n.,)~h=..?...)r.e:..7<..`......q?}}...^U*71.<L}...?.9.3l...-/&.p..r6.y...*......._.noJ.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*:.(......}....*.0............o.......(.....*...................:..o.....( ...*..{....*b.(...........s!...o"...*b.{...........s!...o#...*..{....*f.{....-..,..o......}....*.

                                                                                                                        C:\Config.Msi\44ab18.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):402880
                                                                                                                        Entropy (8bit):5.899147512236063
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:ulzmzzzzfzxVzzdqzzzzHUzJzrPXUAa6u:ulzmzzzzfzxVzzdqzzzzHUzJzrPEAa6u
                                                                                                                        MD5:AB17841334AEA7412091C07F1F3A5C13
                                                                                                                        SHA1:D8AE4C74240D09F9396801C2D1F85AAB9BFEEB7C
                                                                                                                        SHA-256:0E9087D4EDAFC921C369C4142CA500CBBBA97B2CD380BC50FE059ECFFD11E8CF
                                                                                                                        SHA-512:C6A9BA5B5167495286F35013605C43827D815357177B734D2C1A74BFEA09B3BD5FD8431B13513E20EDEE9F504E9758133D7E546848380F55D435DB9E584B3117
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!.........P........... ........... .......................`............@.....................................S........M...............'...@......<................................................ ............... ..H............text...4.... ...................... ..`.rsrc....M.......N..................@..@.reloc.......@......................@..B........................H.......................(...Z...P .......................................h..E.mQ.g. .......b^.......g.HR..8..6....qa..|.VEDk.d.t.....3Jv.Rp...e-o`...&L../.9.&/.8..F.cw~...(C..].d..O.O....,:i;.H@.M..(....*.0.............-...+f.............|...o/............(0...-.r...p...............(....s1...z.o2...-...o3...(|.....o4...(5......r#..po....t.......r=..po....t......s6........o7.....rU..po8........s"...*...0..P...........~9........s:.......o;......o<.................|...o/....

                                                                                                                        C:\Config.Msi\44ab19.rbf

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):137664
                                                                                                                        Entropy (8bit):6.105876992942673
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:yN1zvAuFvVyV2sUz8mqc9AaJrNhxmnrThg:yTv5tAa3W3G
                                                                                                                        MD5:7EF448C23CC335F3FC782FF4997CD0CE
                                                                                                                        SHA1:BF818C3B2F19E1BEE64557BBC7399EC93C0924F2
                                                                                                                        SHA-256:DB3201AA361EEFD7FF6E779A579EDAF314C648E7B694D9A48153BB9E6753F8C0
                                                                                                                        SHA-512:FE853F8BDC0FE81C163094C4115425582A86242CE584048DF51865260A48FC82B1F1D6819EB526C4F2AFB49D5CE89AA2ED51925EC93C8E60F3E2890F794C41E0
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.d...........!..................... ... ....... .......................`.......k....@.....................................O.... ...................'...@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......$................<..b...P ......................................M.t...S...Ki.......v.L.<.3.....*. ...X...4.+,_V..JwV..........Y..w..)..\@.........m.h.4...oR..1.P.<F..*.]h.....E.LS...8v.(.....r...p(..........}....*...0...........{....-.*...(......&..}......*..............4....0...........-.r+..ps ...z.{....-.*....i(......&..}......*...........#..4....0............}.....(....-.*r...p(....&.(......}......&..*...........*..4...R~!....(....("......*....0..;.......

                                                                                                                        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):799568
                                                                                                                        Entropy (8bit):6.395959540562793
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:Gsqbw+mQAhpsnL8vwCjdLkW0wxxymyYbPvvzEFtqc3KRGwZH:hhQqgLawAdLbfx1hvvgFwHGwZH
                                                                                                                        MD5:1FC6060E2B7DA45E4E9FB7F3E75ADC0A
                                                                                                                        SHA1:4CB47EB40457945D2E8F56471192A387C2DD0369
                                                                                                                        SHA-256:92DA58F32E8468C86B830D88914E872558E8A6BC6D430F8CD1CF4236C8A32D51
                                                                                                                        SHA-512:52E9DF7496AD5B2C7566E2A54FAEFBCA7F45EE8C0A88F12B95602AF78C7F8E4FB45BE52E83C600DE84D41356B1E14240807769AB6AB7B88C644FB2ABED569A5B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........../..m|..m|..m|..|..m|}..|..m|.n.|..m|.n.|..m|.n.|..m|..|..m|..l|n.m|.n.|..m|.n.|..m|.n.|..m|.n.|..m|Rich..m|........................PE..L...U*_M.........."!.....t..........+........................................`.......Z....@.................................z..(.......................P..............................................@...................Dx.......................text....s.......t.................. ..`.data....K.......&...x..............@....rsrc...............................@..@.reloc..............^..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\AddIns.store

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):38
                                                                                                                        Entropy (8bit):4.0933405928928694
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:HRDM3iJKRLMFn:bJKRLkn
                                                                                                                        MD5:F9A33365723B91ABF48A528E706D70ED
                                                                                                                        SHA1:D8DA1A19A69D745036EA7983BDC90F031FE9110C
                                                                                                                        SHA-256:676A9E17268E14567B5B2220244F5AB740A61CAB62BC02DE6126854B8382D7CA
                                                                                                                        SHA-512:5F650CE53F793FF0E7B0054C0253684A61FE4C282A4D2412A3AB5C3801B2D60C54BE6459ED019780A969916ADF497C0EEDE7F67A19A2E9B0004181D1E5E84D38
                                                                                                                        Malicious:false
                                                                                                                        Preview:"Dummy File, for installation only" ..

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):990032
                                                                                                                        Entropy (8bit):6.177068944245578
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:tc2YwE7VSxeUMUCcTd8Ht4lYyF2f78oyoMZggTSy:S2DE7oxeUXfaHtkYZjiQg2y
                                                                                                                        MD5:58B80D366D68B524E1B4FBB4C7DBC511
                                                                                                                        SHA1:C42756154A35923542317FAE2376497D0035C51B
                                                                                                                        SHA-256:E3893C35187B0DD848758979EBD0D766FC99F918EC9E685297F7D6CA080F122D
                                                                                                                        SHA-512:7754B6F9093DDEC47AE2679A32A6B9D8595BB2ABF25EB8EE2043EFCF68449D17CC9ED109E59C25EC19F476BA1BC70C4DE51FA6F3BE1D98D6E3894CCF419A2122
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P&X.1H..1H..1H..I...1H....f1H.....1H.....1H..I...1H..1I.j1H.....1H.....1H.....1H.....1H.Rich.1H.................PE..d...T._M.........." .................P.......................................`............@......................................... ...........(....@.................P........4...................................................... ...<........................text............................... ..`.rdata...O.......P..................@..@.data....l... ...:..................@....pdata..............B..............@..@.rsrc........@......................@..@.reloc..FP.......R..................@..B........................................................................................................................................................................................................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):10920
                                                                                                                        Entropy (8bit):6.395130789391203
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:pOSWVjzWEfXQpbfxuDBks/nGfe4pBjSjiX:pOSWVjzWEQpbEq0GftpBjD
                                                                                                                        MD5:211EF4938FEB3C351FB9DCDD3789321D
                                                                                                                        SHA1:7D9F328E5337C25963F91CF22EAD019832464EF4
                                                                                                                        SHA-256:375D5ACED5FCE9262BA7838642BAEA31C10B4FD41BAC133E04B27B062E32D1B6
                                                                                                                        SHA-512:476880E3874D42846B22A78B2378DB6260B9A1314A7A33A5018D488B21ADE1888EBDC22CF784F1B7E2C7EAD55604F20BD69C042585488A1D48A10E3CFF66CC83
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.........{w.....z.....{p....Rich...........PE..d...To.W.........." ......................................................... ......Uz....@..........................................................................................................................................................................rsrc...............................@..@............................................ .......8...................&...P.......................h.......................................................~........... .................................1.V.i.s.u.a.l. .S.t.u.d.i.o. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .S.o.l.u.t.i.o.n. .I.n.s.t.a.l.l.e.r...T.h.e. .f.o.l.l.o.w.i.n.g. .M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .s.o.l.u.t.i.o.n. .c.a.n.n.o.t. .b.e. .l.o.a.d.e.d. .b.e.c.a.u.s.e. .t.h.e. ...N.E.T. .F.r.a.m.e.w.o.r.k. .i.s. .n.o.t. .i.n.s.t.a.l.l.e.d.:. .%.s.

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19104
                                                                                                                        Entropy (8bit):5.309675947420754
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:+WZYkW65ls+lCi7ITaana46WWhjmaCIc3q0GftpBj5:5YQ5ls+lCi7I2ana465hjmif
                                                                                                                        MD5:9E927BCE07A6D2117FC929E6E90889B6
                                                                                                                        SHA1:F9D04F9387D4180D41EE9FCD10E3C92919CB78A8
                                                                                                                        SHA-256:22D21B5D9574E9F68D25A2CEE73AA0C3E0FF2722449242DC15D951DFAC41F6D3
                                                                                                                        SHA-512:342208FBB3BE867E09133A331A3C0CF74B7CE8FAF48F119D993EAB9A5C71960B0E219361F192D63F14395CC6C1C634B61ED381247C84C59CCCED4CBC1697A168
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...So.W.........." ...........................C.............................@............@.............................................................h,...........0...............................................................................................rsrc...h,..........................@..@....................................(.......@...............................................................................................0...&...H.......................`.......................x.......................................................................................................................................................................................................................8...............@...........8...f............9..n............+...............9..r...........

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1025.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (456), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):9732
                                                                                                                        Entropy (8bit):3.790055917221028
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:a6hjIZ3cIewy2NLOJV0BmirQPAZLBLvn6S2/vnYzzXhdPSW:a+YyPi/7z6S23WTP3
                                                                                                                        MD5:37BF48382DFA5F1D0D847F6AC2334527
                                                                                                                        SHA1:4E8BEE51C6D71D297A9B19E42AF822D9E33D6E88
                                                                                                                        SHA-256:0915A72556674A3635AF7137CC6C092E8F7B058984A6C8AAF301C05F0930AEAB
                                                                                                                        SHA-512:F62FCBCA6692F1603F8F71BF06A0F25BC16B979FF947DBDF4646899F7798E8DA8513D52E59AF1DF774BFD77D666B3DCEF0AB9993CD0534AA511483F25C3C62C5
                                                                                                                        Malicious:false
                                                                                                                        Preview:..4.1.H.7. .*.1...J.5. .(.1.'.E.,. .. M.I.C.R.O.S.O.F.T.....#./.H.'.*. .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .D.@. .M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .S.y.s.t.e.m.. . .(.'.D.%.5./.'.1. .. . 4...0.. . .E.F. .H.B.*. .'.D.*.4.:.J.D.).. ........*.9.*.(.1. .4.1.H.7. .'.D.*.1...J.5. .G.0.G. .'.*.A.'.B.J.). .(.J.F.C. .H.(.J.F. .4.1.C.). .. M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n.. .(.#.H. .%.-./.I. .'.D.4.1.C.'.*. .'.D.*.'.(.9.). .D.G.'. .-.3.(. .E.-.D. .%.B.'.E.*.C.).... . .. D.0.'... .J.1.,.I. .B.1.'.!.). .G.0.G. .'.D.4.1.H.7.... . .. *.3.1.J. .G.0.G. .'.D.4.1.H.7. .9.D.I. .'.D.(.1.F.'.E.,. .'.D.E.0.C.H.1. .#.9.D.'.G... .H.'.D.0.J. .J.*.6.E.F. .'.D.H.3.'.&.7. .'.D.*.J. .*.E. .*.D.B.J. .'.D.(.1.F.'.E.,. .A.J.G.'... .%.F. .H.,./.*.... . .. C.E.'. .*.3.1.J. .'.D.4.1.H.7. .9.D.I. .C.D. .E.'. .G.H. .E.*.9.D.B. .(.@. .. M.i.c.r.o.s.o.f.t.. .E.E.'. .J.D.J.:.. ...." .'.D.*.-./.J.+.'.*......." .H.'.D.(.1.'.E.,. .'.D.E.D.-.B.)......." .H.'.D.../.E.'.*. .'.D.E.3.*.F./.). .%.D.I. .

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1028.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3840
                                                                                                                        Entropy (8bit):6.594973868755483
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:IrzzlQecWGSt7npUjeIjrllkzc4k1f89xRnPVfEHnoAEfFC74M/5CyIp:IrFQLStnpY3jr83CfYnPOSLyIp
                                                                                                                        MD5:14CAE1B34CC20375EE409F72103B60E6
                                                                                                                        SHA1:5B5C2506E31A05D39186836DF7E7620FE3ECC935
                                                                                                                        SHA-256:C393F75E8FE6A5A022DAC4ED3EBE5955E93A294DAE83657010165E63A781DF44
                                                                                                                        SHA-512:2A4B83D3AC693C9E6F76EF949DA23C4D46C89D21411587624910EC9BFC8ABBDC12F8DEE103DA6C4025E4204BFC679A95C18CE463CF5A4D8537500B659051748E
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T. ....c.k.h>k .....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........,g.c.k.h>k.O.N.N1u.0..(u6b.. .M.i.c.r.o.s.o.f.t. .lQ.S .(..bvQ..O.Omi.....0..(u6b@bE\OO.v0W....[). .KN..@b.b.zKNTSp..0..N0}.......N.c.k.h>k.0...N.c.k.h>ki.(u.e.N.......S.b.0..(u6b@b6e.S.v.Z. .(..Y.g.g.vq.)..0...N.h>k.Ni.(u.e.NUOM.i.c.r.o.s.o.f.t. .1\r...KN...." ..f.e.z._...." ..X..z._...." ..}...}..g.R......" ./e.c.g.R....FO..N.....v.SD..gvQ.N.h>k..GRvQ.N.h>k*QHQi.(u.0.....0...0.N.}.O(u..sSh.:y.0..(u6b.T.a.c.S...N.c.k.h>k.0..0..(u6b.N.T.a...N.c.k.h>k....N...O(u.0...0.0......0..(u6b.T.a,g.c.k.h>k.vgQ.[....(u6b._.N.g.N.N.k)R.0....1... ..[....O(u.k)R.0..(u6b._.e.0..(u6b.NUO.n..N...[..S.O(u .1. ..N...b...0....2... ..c.k.{.W.0...O.c.k.O(u....^..Q.U.e.0...N.T.}.P.c.O.0..(u6b.O(u...v..N.k)R.0M.i.c.r.o.s.o.f.t. ..OYu@b.gvQ.N.k)R.0d.^..gvQ.Ni.(u.l...

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1030.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (555), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11254
                                                                                                                        Entropy (8bit):3.51311134245129
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:6OcIo5b7V+/JSIYpgIGgeDECRk9wpXmtxqNaswY/xl0KNvBb9UV/UJH8hnWDl4jF:GIGtGOsPsgBpcaGlVY0Z
                                                                                                                        MD5:AAAAA62D4AEE7A562D777D5DECC8B3AE
                                                                                                                        SHA1:9B3B366C282B121913282C9A5105EA9EE0C0474A
                                                                                                                        SHA-256:3056460748BC8349F728DCAA6D38FD2D9FE3547BA5C510572F90055F6B51FAAC
                                                                                                                        SHA-512:4B972860952A02FCB09358FFBFFA2CA3E006ECBD5B1A632BB6C568E2B492EB17CD743351DECA0A989802A8A2272F125544772E3A58EFB259D0D7588303A6AB50
                                                                                                                        Malicious:false
                                                                                                                        Preview:..S.O.F.T.W.A.R.E.L.I.C.E.N.S.B.E.T.I.N.G.E.L.S.E.R. .F.O.R. .M.I.C.R.O.S.O.F.T. .....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........D.i.s.s.e. .l.i.c.e.n.s.v.i.l.k...r. .e.r. .e.n. .a.f.t.a.l.e. .m.e.l.l.e.m. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.e.l.l.e.r.,. .a.f.h...n.g.i.g.t. .a.f. .h.v.o.r. .D.e. .b.o.r.,. .e.n. .a.f. .d.e.t.s. .a.s.s.o.c.i.e.r.e.d.e. .v.i.r.k.s.o.m.h.e.d.e.r.). .o.g. .D.e.m... .D.e. .b.e.d.e.s. .d.e.r.f.o.r. .v.e.n.l.i.g.s.t. .l...s.e. .d.e.m... .V.i.l.k...r.e.n.e. .g...l.d.e.r. .f.o.r. .o.v.e.n.n...v.n.t.e. .s.a.m.t. .d.e. .m.e.d.i.e.r.,. .D.e. .m...t.t.e. .h.a.v.e. .m.o.d.t.a.g.e.t. .d.e.m. .p..... .L.i.c.e.n.s.v.i.l.k...r.e.n.e. .g...l.d.e.r. .o.g.s... .f.o.r. .a.l.l.e. .M.i.c.r.o.s.o.f.t.s....." .o.p.d.a.t.e.r.i.n.g.e.r....." .s.u.p.p.l.e.m.e.n.t.e.r....." .i.n.t.e.r.n.e.t.b.a.s.e.r.e.d.e. .t.j.e.n.e.s.t.e.r. .o.g....." .

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1031.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (660), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):15216
                                                                                                                        Entropy (8bit):3.509492525709541
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:VSQAY05JEzLJgbE8xeuaQOI9cqOANn2fxQ:IYwJEzNgYTuasGlA12fxQ
                                                                                                                        MD5:F4A147B479B0D7F040AF753CBB101AB7
                                                                                                                        SHA1:51DDC77F930486117FA018AD7143EB97B16CB9D5
                                                                                                                        SHA-256:A6133808D01961C10F30CD487DBEE8F07C816EC774A83DE27BD694148222A094
                                                                                                                        SHA-512:397D2997EC95F62FBFDC0AC177F0CB761F52C334C6C08374D16F13F9E156F5B4036927BE696196354B23940BDB042467A8976E3B705830815D1C17723A476044
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T. .S.O.F.T.W.A.R.E.:. .L.I.Z.E.N.Z.B.E.S.T.I.M.M.U.N.G.E.N.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F...R. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........D.i.e.s.e. .L.i.z.e.n.z.b.e.s.t.i.m.m.u.n.g.e.n. .s.i.n.d. .e.i.n. .V.e.r.t.r.a.g. .z.w.i.s.c.h.e.n. .I.h.n.e.n. .u.n.d. .d.e.r. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.d.e.r. .e.i.n.e.r. .a.n.d.e.r.e.n. .M.i.c.r.o.s.o.f.t.-.K.o.n.z.e.r.n.g.e.s.e.l.l.s.c.h.a.f.t.,. .w.e.n.n. .d.i.e.s.e. .a.n. .d.e.m. .O.r.t.,. .a.n. .d.e.m. .S.i.e. .d.i.e. .S.o.f.t.w.a.r.e. .e.r.w.e.r.b.e.n.,. .d.i.e. .S.o.f.t.w.a.r.e. .l.i.z.e.n.z.i.e.r.t.)... .B.i.t.t.e. .l.e.s.e.n. .S.i.e. .d.i.e. .L.i.z.e.n.z.b.e.s.t.i.m.m.u.n.g.e.n. .a.u.f.m.e.r.k.s.a.m. .d.u.r.c.h... .S.i.e. .g.e.l.t.e.n. .f...r. .d.i.e. .d.e.r. .o.b.e.n. .g.e.n.a.n.n.t.e.n. .S.o.f.t.w.a.r.e. .u.n.d. .g.e.g.e.b.e.n.e.n.f.a.l.l.s. .f...r. .d.i.e. .M.e.d.i.e.n.,. .a.u.f. .d.e.n.e.n. .S.i.e. .d.i.

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1033.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (432), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):9698
                                                                                                                        Entropy (8bit):3.3499182192510224
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:ufJFuIu+P8AWybUWhJJhLBKz1+EvgfwtI1c384MTAXc4INUtxNlgWgcxRJomVVCE:YJUIu+P8tdIoXDIWtLlgc7CRB0jSbW
                                                                                                                        MD5:BE6142E24326C7E3F1030B95BBA80D1B
                                                                                                                        SHA1:42E5E22DDACD732754A88F345E08B10A84AB46BA
                                                                                                                        SHA-256:030B04CE7FADC9DA232BE9A76BF35D9ECCCE7EB8C37C5E238095D71397A5AFD7
                                                                                                                        SHA-512:7E8B43A82C2ABF2865E1C8E5526B370831D703A58C0AC07DBB0E3BB1A18685670024D81401639D1C3B42F8E809CF6B8A794D5872B083AC82DEAC281E5F38574F
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T. .S.O.F.T.W.A.R.E. .L.I.C.E.N.S.E. .T.E.R.M.S.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........T.h.e.s.e. .l.i.c.e.n.s.e. .t.e.r.m.s. .a.r.e. .a.n. .a.g.r.e.e.m.e.n.t. .b.e.t.w.e.e.n. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.r. .b.a.s.e.d. .o.n. .w.h.e.r.e. .y.o.u. .l.i.v.e.,. .o.n.e. .o.f. .i.t.s. .a.f.f.i.l.i.a.t.e.s.). .a.n.d. .y.o.u... .P.l.e.a.s.e. .r.e.a.d. .t.h.e.m... .T.h.e.y. .a.p.p.l.y. .t.o. .t.h.e. .s.o.f.t.w.a.r.e. .n.a.m.e.d. .a.b.o.v.e.,. .w.h.i.c.h. .i.n.c.l.u.d.e.s. .t.h.e. .m.e.d.i.a. .o.n. .w.h.i.c.h. .y.o.u. .r.e.c.e.i.v.e.d. .i.t.,. .i.f. .a.n.y... .T.h.e. .t.e.r.m.s. .a.l.s.o. .a.p.p.l.y. .t.o. .a.n.y. .M.i.c.r.o.s.o.f.t.........u.p.d.a.t.e.s.,.........s.u.p.p.l.e.m.e.n.t.s.,.........I.n.t.e.r.n.e.t.-.b.a.s.e.d. .s.e.r.v.i.c.e.s.,. .a.n.d. .........s.u.p.p.o.r.t. .s.e.r.v.i.c.e.s.....f.o.r. .t.h.i.s. .s.o.f.t.

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1035.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (549), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12140
                                                                                                                        Entropy (8bit):3.4775959694086733
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:lqEjZZceoVLtX5KVDeUAFBrjifYjYK9cWFjmDspWKSi3F0qbiyMBN1vploub:8Ej+X5KxehFBQCYW/d3F0qbijLtp+I
                                                                                                                        MD5:B16CE8EB5F0876096A6B2ECB779BA300
                                                                                                                        SHA1:EF71B6B71C22A37C7CDE640AC417E4AABA3ADA06
                                                                                                                        SHA-256:8AD53D31EF9AC9E5166C5E7AC87A6EB9995E688ADEE31158ABEAC242B2494C70
                                                                                                                        SHA-512:62CAFA029F6449A4BDFBDBBC559872CE71A670B4286B37CF2D2A49BA5BB1929D188EE8F21B8BEEB9772E458B1D86CD1DF76F553CB8E4CED9038524690BD90792
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T.-.O.H.J.E.L.M.I.S.T.O.N. .K...Y.T.T...O.I.K.E.U.S.S.O.P.I.M.U.K.S.E.N. .E.H.D.O.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.4...0. .R.U.N.T.I.M.E.).........N...m... .k...y.t.t...o.i.k.e.u.s.s.o.p.i.m.u.k.s.e.n. .e.h.d.o.t. .o.v.a.t. .s.o.p.i.m.u.s. .a.s.i.a.k.k.a.a.n. .j.a. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n.i.n. .(.t.a.i. .a.s.i.a.k.k.a.a.n. .a.s.u.i.n.p.a.i.k.a.n. .m.u.k.a.a.n. .m.....r...y.t.y.v...n. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n.i.n. .k.o.n.s.e.r.n.i.y.h.t.i...n.). .v...l.i.l.l..... .L.u.e. .e.h.d.o.t. .h.u.o.l.e.l.l.i.s.e.s.t.i... .E.h.d.o.t. .k.o.s.k.e.v.a.t. .y.l.l... .n.i.m.e.t.t.y... .o.h.j.e.l.m.i.s.t.o.a. .s.e.k... .a.s.e.n.n.u.s.m.e.d.i.o.i.t.a.,. .j.o.i.l.l.a. .o.h.j.e.l.m.i.s.t.o. .o.n. .m.a.h.d.o.l.l.i.s.e.s.t.i. .t.o.i.m.i.t.e.t.t.u... .E.h.d.o.t. .k.o.s.k.e.v.a.t. .m.y...s. .M.i.c.r.o.s.o.f.t.i.n. .o.h.j.e.l.m.i.s.t.o.o.n. .l.i.i.t.t.y.v.i...

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1036.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (552), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12026
                                                                                                                        Entropy (8bit):3.49731717292859
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:lZ+iMScqwm6npiueEASc7XxKMKgj1ebKH7m5q666j1o3MLycT4oUK5I/S:z+i+U6pMeX2idUkAS
                                                                                                                        MD5:050D6F6B4995E30F1EFE96D4BB7D6695
                                                                                                                        SHA1:823DBF75601238349E516E5A7DA594C9C7EF8C55
                                                                                                                        SHA-256:99E0986D68B69E10C01C296ABD599687209179C76A1614BF614121DBB9B0F595
                                                                                                                        SHA-512:6F95211EA9D38B2B062753811A5BF8E3E02AC58443CCDFEEA379F4278DFBF2254BE7B5CA9B31346BBF9F4AF8537E1927070DF49B2B3DE539F334396CB41CA877
                                                                                                                        Malicious:false
                                                                                                                        Preview:..T.E.R.M.E.S. .D.U. .C.O.N.T.R.A.T. .D.E. .L.I.C.E.N.C.E. .D.. U.N. .L.O.G.I.C.I.E.L. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........L.e.s. .p.r...s.e.n.t.s. .t.e.r.m.e.s. .o.n.t. .v.a.l.e.u.r. .d.e. .c.o.n.t.r.a.t. .e.n.t.r.e. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.u. .e.n. .f.o.n.c.t.i.o.n. .d.u. .l.i.e.u. .o... .v.o.u.s. .v.i.v.e.z.,. .l.. u.n. .d.e. .s.e.s. .a.f.f.i.l.i...s.). .e.t. .v.o.u.s... .L.i.s.e.z.-.l.e.s. .a.t.t.e.n.t.i.v.e.m.e.n.t... .I.l.s. .p.o.r.t.e.n.t. .s.u.r. .l.e. .l.o.g.i.c.i.e.l. .n.o.m.m... .c.i.-.d.e.s.s.u.s.,. .y. .c.o.m.p.r.i.s. .l.e. .s.u.p.p.o.r.t. .s.u.r. .l.e.q.u.e.l. .v.o.u.s. .l.. a.v.e.z. .r.e...u. .l.e. .c.a.s. ...c.h...a.n.t... .C.e. .c.o.n.t.r.a.t. .p.o.r.t.e. ...g.a.l.e.m.e.n.t. .s.u.r. .l.e.s. .p.r.o.d.u.i.t.s. .M.i.c.r.o.s.o.f.t. .s.u.i.v.a.n.t.s...:....." .l.e.s. .m.i.s.e.s. ... .j.o.u.

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1037.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8334
                                                                                                                        Entropy (8bit):3.8337054433603073
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:iO92dirX12J8lnfeVYUWv4xaZFBgL/XW33UuzIiFW:XQirXcqln/FW+gL/XWHUuzVFW
                                                                                                                        MD5:B846A5B933198D4F185A2DE06971A963
                                                                                                                        SHA1:DA063A055694F19DE1B5E6A9C6BADB0EF7DDBB08
                                                                                                                        SHA-256:E6663B3378B4589A3F01E3BDED1EE58A3B2F55640A8DC47DBD43EBC5F203B348
                                                                                                                        SHA-512:F9AD32EC6CE2A76A88995EBF6FA4C42391F94B4D08C748830104B4DAE7CD70ADC24D774A498BF249F5198DE8ACC7FB57A8587EB297DE7AD84AD6D8B397D93B59
                                                                                                                        Malicious:false
                                                                                                                        Preview:.......... ........... ..... ........... .. M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S.. ......... .. T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M.. .(........... .. . 4...0.. . .. R.U.N.T.I.M.E.. ).. ............ ........... ....... ............. ......... ....... .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(..... ....... ..................... .......,. ........... ........... .............). .............. . .. .... ........... ............ . .. .... ......... ..... ............. ............... .........,. ............. ..... ........... ............. .(...........). ....... ........... .........,. ..... ............ . .. ............ ......... ..... ..... ............... ........... ..... .M.i.c.r.o.s.o.f.t....." ...............,....." .............,....." ............... ............. ...............,. ........ .. ...." ............. ...........,............. ........... .....,. ....... ..... ............. ........... .....

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1040.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (594), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):13730
                                                                                                                        Entropy (8bit):3.424486125850018
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:KMkWhFh2Y2AfJBCVASQavc3xh3xBSXwMnuEz3ZZE88agayrq+t:tf/utQXhaukTSaynt
                                                                                                                        MD5:CB8B8B4F0670349C218881941DA8921C
                                                                                                                        SHA1:F9E91570B951F2B3257E0399E2B6353BDDD4DA77
                                                                                                                        SHA-256:FA591351700C4E1FF82BD4D8D0ED7B10C64157A79589ECA2511DFD3F5530463D
                                                                                                                        SHA-512:D112277740BAC01F96B1BD1B09D885BE0F4CCB11D2BAEA7227C1BC63A28C712F7F681BEA5809CE01125446DF149265BE4B54B059709B9B30FD345D9B503BF2FD
                                                                                                                        Malicious:false
                                                                                                                        Preview:..C.O.N.T.R.A.T.T.O. .D.I. .L.I.C.E.N.Z.A. .P.E.R. .I.L. .S.O.F.T.W.A.R.E. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .P.E.R. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.R.U.N.T.I.M.E. .V.E.R.S.I.O.N.E. .4...0.).........L.e. .p.r.e.s.e.n.t.i. .c.o.n.d.i.z.i.o.n.i. .d.i. .l.i.c.e.n.z.a. .c.o.s.t.i.t.u.i.s.c.o.n.o. .i.l. .c.o.n.t.r.a.t.t.o. .t.r.a. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.,. .i.n. .b.a.s.e. .a.l. .l.u.o.g.o. .d.i. .r.e.s.i.d.e.n.z.a. .d.e.l. .l.i.c.e.n.z.i.a.t.a.r.i.o.,. .u.n.a. .d.e.l.l.e. .s.u.e. .c.o.n.s.o.c.i.a.t.e.). .e. .i.l. .l.i.c.e.n.z.i.a.t.a.r.i.o... .I.l. .l.i.c.e.n.z.i.a.t.a.r.i.o. .d.e.v.e. .l.e.g.g.e.r.l.e. .c.o.n. .a.t.t.e.n.z.i.o.n.e... .L.e. .p.r.e.s.e.n.t.i. .c.o.n.d.i.z.i.o.n.i. .s.i. .a.p.p.l.i.c.a.n.o. .a.l. .s.o.f.t.w.a.r.e. .M.i.c.r.o.s.o.f.t. .s.o.p.r.a. .i.n.d.i.c.a.t.o.,. .i.n.c.l.u.s.i. .g.l.i. .e.v.e.n.t.u.a.l.i. .s.u.p.p.o.r.t.i. .d.i. .m.e.m.o.r.i.z.z.a.z.i.o.n.e. .s.u.i. .q.u.a.l.i. ...

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1041.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):5688
                                                                                                                        Entropy (8bit):5.566774799697373
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:JVtKn6a4XgxyG61NDFMf4OoBHiR4JsY/VHHLIj7fhPWuNdkvpyUw:Jun616SHlr/RCPckb
                                                                                                                        MD5:73B71E95088DFFF6CD4C02130FCBC631
                                                                                                                        SHA1:30273B373EE087BB052EA553A5B47C6B441A1FE5
                                                                                                                        SHA-256:4B8453E1DB2094EDF223E7E62B8DA2B1EB761314A3B63B472E546ED82E9C5E44
                                                                                                                        SHA-512:3CE8A5214DF78DAB756E077172926521B1CF51801D8220845E27B4B712B7633FB44E7D11FA3732316D690CB4459BC15EF586788BA33DF6A2EE33AA316006093B
                                                                                                                        Malicious:false
                                                                                                                        Preview:...0.0.0.0.0.0.0 ..0.0.0.0.0.0 ..0.0.0.0.0ag......M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........,g.0.0.0.0.0.0.0 ..0.0.0.0.0ag.. .(..N.N.0,g.0.0.0.0.0ag...0h0D0D0~0Y0).o0.0J0.[.ih0M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....0.N.N.0.0.0.0.0.0.0.0.0h0D0D0~0Y0..h0n0QY.}.0.i.bW0~0Y0.0.N.Nn0ag...0.l.aW0f0J0...0O0`0U0D0.0,g.0.0.0.0.0ag..o0.0.N..n0.0.0.0.0.0.0J0.0s0.0.0.0.0.0.0L0..2.U0.0_0.ZSO .(..N.N.}.yW0f0.0,g.0.0.0.0.0.0.0h0D0D0~0Y0). .k0i.(uU0.0~0Y0.0~0_0.0,g.0.0.0.0.0ag..o0.0.N.Nn0,g.0.0.0.0.0.0k0..#.Y0.0.0.0.0.0.0.0.0...Tk0.0%R...V.gn0.0.0.0.0.0ag..L0.N^\W0f0D0j0D04X.Tk0o0.0S0.0.0n0...Tk0.0i.(uU0.0.0.0n0h0W0~0Y0.0...." ..f.e.0.0.0.0.0...." ....Rir...." ..0.0.0.0.0.0.0.0.0.0n0.0.0.0.0...." ..0.0.0.0 ..0.0.0.0....j0J0.0S0.0.0n0...Tk0%R...V.gn0.0.0.0.0.0ag..L0.N^\W0f0D0.04X.Tk0o0.0S_r..0.0.0.0.0ag..L0i.(uU0.0.0.0n0h0W0~0Y0.0....,g.0.0.0.0.0.0.0.O(uY0.0S0h0k0

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1042.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):5848
                                                                                                                        Entropy (8bit):5.495415042980411
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:lSbEI7W+eU2guxMwBQMZ+XYg9MXIAoV7kMozPW:Byuv1RW
                                                                                                                        MD5:9566BBDE8F9374B8B542DD73698621F0
                                                                                                                        SHA1:96B2EA1D13B1603D2DC4DF72F79C8D83FBF831E8
                                                                                                                        SHA-256:EA4E4E4334F40280A4DEE1A79D4757D4E6B18E188BC2B725C65859710B76A3BE
                                                                                                                        SHA-512:1AA59EB6946767F17BF5612329A4AE2E97EBF43CA97435BCBD2E9997EF34EF2EDC4BC83CC5E5DA1662668EB75927C8D255BBE78D31E3EB4DA5069D69418C64B4
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T. ......... ..... .p.t.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M.(..... .4...0. .....)........... ..... .p.t.@. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n.(..... .p... ....... .0.|. ..... ... .X..)... ...X. ..... ........ ..}...... .}.. .....0. ......... ... ..... .p.t.@. ..... ....... ......... ... ... ........... ...h... ..... .... ..... .t... ..... ....)..... ... ..}.@. .t... ...... ...X. .}...t. ..... .J.. .\.,. ... ........... ...\....." ...p.t..,....." ..... .l.1. ....,....." .x.0.7. .0... ...D... ......." ..... ...D.......@. ...@. .M.i.c.r.o.s.o.f.t. .l.1. ....... ....)..... ...X. .}...t. .... .....,. .t... .}...t. ....).........t. .........|. .....h.<.\.h. ...X.. .D..X. .p.t.... ..X.X.. .)..... ..X.X... .J.D. ........ .........|. .....X... ......$......... ..... .p.t.D. .....X.. ..... .D..@. ...@. ...\.D. ....

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1043.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (529), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12290
                                                                                                                        Entropy (8bit):3.467636607529899
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:w+GsQx8VBjxAYR3c6qMPh29ORGpBjyetfaPUt1DDLs9F2tflhCUpOhQGm1AXOyks:SKjZc6+D3t+sOXtAw
                                                                                                                        MD5:63B68FB4C4A125BCCD6722EDE5EF51AD
                                                                                                                        SHA1:7177F5433CE8BB8E632D75C9C3169BD45C9A0096
                                                                                                                        SHA-256:F8A8315A88546FF386B51310821E96D71FD76336B2044D820AC38179B6D05A51
                                                                                                                        SHA-512:8A6C0099987282A7B372F3C4AB9ECEC4FD37B3B53DB0F8A25403AFEFC4110248AAE30629857FBE740AA3567C75B051F27AC5D9510D157C578890C02D82AF1DFB
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T. .S.O.F.T.W.A.R.E. .L.I.C.E.N.T.I.E.B.E.P.A.L.I.N.G.E.N.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........D.e.z.e. .l.i.c.e.n.t.i.e.b.e.p.a.l.i.n.g.e.n. .v.o.r.m.e.n. .e.e.n. .o.v.e.r.e.e.n.k.o.m.s.t. .t.u.s.s.e.n. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.f.,. .a.f.h.a.n.k.e.l.i.j.k. .v.a.n. .u.w. .w.o.o.n.p.l.a.a.t.s.,. .e.e.n. .v.a.n. .h.a.a.r. .g.e.l.i.e.e.r.d.e. .o.n.d.e.r.n.e.m.i.n.g.e.n.). .e.n. .u... .L.e.e.s. .d.e.z.e. .b.e.p.a.l.i.n.g.e.n. .a.a.n.d.a.c.h.t.i.g. .d.o.o.r... .D.e.z.e. .b.e.p.a.l.i.n.g.e.n. .z.i.j.n. .v.a.n. .t.o.e.p.a.s.s.i.n.g. .o.p. .d.e. .s.o.f.t.w.a.r.e. .d.i.e. .h.i.e.r.b.o.v.e.n. .w.o.r.d.t. .v.e.r.m.e.l.d.,. .m.e.t. .i.n.b.e.g.r.i.p. .v.a.n. .d.e. .m.e.d.i.a. .w.a.a.r.o.p. .u. .d.e. .s.o.f.t.w.a.r.e. .h.e.b.t. .o.n.t.v.a.n.g.e.n. .(.i.n.d.i.e.n. .v.a.n. .t.o.e.p.a.s.s.i.n.g.)... .D.e. .b.e.p.a.l.i.n.g.

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1044.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (561), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11576
                                                                                                                        Entropy (8bit):3.4911867001705126
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:nKKfYCs2P6xVcfwVVZV+wVO5lVOwoSNOSVQlVzziV5rVBYkVOvH7uAfOUp22e36y:MOmVL/+3toH8nfQbmZx
                                                                                                                        MD5:1DD661E4AB4409F81706E20E0A397F4C
                                                                                                                        SHA1:3CC5C49839D2E488B96396DE6798A1D44FF8C2C5
                                                                                                                        SHA-256:AD2BC0E4B401F3AA9CE17851D6ED491AF134436A00D5D554A2A70527FF4929E8
                                                                                                                        SHA-512:54B31ECE512DE2F8F9FC17718DCB3EC581BB581C4235FAE8CEFAA03910BC7FE5F434BE70D90F3133FBBDC472702DDBFEC404821489340C308ACDF96AEE47A523
                                                                                                                        Malicious:false
                                                                                                                        Preview:..L.I.S.E.N.S.V.I.L.K...R. .F.O.R. .M.I.C.R.O.S.O.F.T.-.P.R.O.G.R.A.M.V.A.R.E.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........D.i.s.s.e. .l.i.s.e.n.s.v.i.l.k...r.e.n.e. .u.t.g.j...r. .e.n. .r.e.t.t.s.l.i.g. .b.i.n.d.e.n.d.e. .a.v.t.a.l.e. .m.e.l.l.o.m. .d.e.g. .o.g. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.e.l.l.e.r. .e.t. .a.v. .d.e.t.s. .t.i.l.k.n.y.t.t.e.d.e. .s.e.l.s.k.a.p.e.r.,. .a.v.h.e.n.g.i.g. .a.v. .h.v.o.r. .d.u. .b.o.r.)... .L.e.s. .v.i.l.k...r.e.n.e. .n...y.e... .D.e. .g.j.e.l.d.e.r. .o.v.e.n.n.e.v.n.t.e. .p.r.o.g.r.a.m.v.a.r.e.,. .s.o.m. .o.g.s... .o.m.f.a.t.t.e.r. .m.e.d.i.e.t. .d.e.n. .e.v.e.n.t.u.e.l.t. .b.l.e. .l.e.v.e.r.t. .p..... .V.i.l.k...r.e.n.e. .g.j.e.l.d.e.r. .o.g.s... .f.o.r. .M.i.c.r.o.s.o.f.t.s....." .o.p.p.d.a.t.e.r.i.n.g.e.r....." .t.i.l.l.e.g.g....." .I.n.t.e.r.n.e.t.t.-.b.a.s.e.r.t.e. .t.j.e.n.e.s.t.e.r....." .b.r.u.

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1045.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (573), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):13082
                                                                                                                        Entropy (8bit):3.7591618208087683
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:ibWEgc1PPPvwOmRxZVd6JZ2aTf0oB3Fbt7RSBWRVhATL2JdDU949dEKCEz1UaHM1:OWTc1n+DozG8ajKCBasWuGSb69jXbOgW
                                                                                                                        MD5:D165530B6BC4913E3ADBD0CFD70AFCCF
                                                                                                                        SHA1:425FA046024A98D130DE3E6BBC54F31C016B92D7
                                                                                                                        SHA-256:738629B663533391811011782EC18B861D3FC4F99CA991E02D6F3CDAF392818F
                                                                                                                        SHA-512:3ED7D8C1FF6F82E41BD483C96481C6FC2C2400560D57D8DAFD4B80E9C9862A65B7353803D1E32F81D1055363AF747BBC0F7E0CFE4D3137D865C128D641B6BAAB
                                                                                                                        Malicious:false
                                                                                                                        Preview:..P.O.S.T.A.N.O.W.I.E.N.I.A. .L.I.C.E.N.C.Y.J.N.E. .D.O.T.Y.C.Z...C.E. .O.P.R.O.G.R.A.M.O.W.A.N.I.A. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .D.L.A. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.R.U.N.T.I.M.E. .4...0.).........N.i.n.i.e.j.s.z.e. .p.o.s.t.a.n.o.w.i.e.n.i.a. .l.i.c.e.n.c.y.j.n.e. .s.t.a.n.o.w.i... .u.m.o.w... .m.i...d.z.y. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.a.l.b.o. .z. .j.e.d.n.y.m. .z. .p.o.d.m.i.o.t...w. .s.t.o.w.a.r.z.y.s.z.o.n.y.c.h. .M.i.c.r.o.s.o.f.t. .w.B.a.[.c.i.w.y.m. .z.e. .w.z.g.l...d.u. .n.a. .P.a.D.s.t.w.a. .m.i.e.j.s.c.e. .z.a.m.i.e.s.z.k.a.n.i.a. .l.u.b. .s.i.e.d.z.i.b...). .a. .P.a.D.s.t.w.e.m... .P.r.o.s.i.m.y. .p.r.z.e.c.z.y.t.a... .p.o.n.i.|.s.z.e. .p.o.s.t.a.n.o.w.i.e.n.i.a... .O.d.n.o.s.z... .s.i... .o.n.e. .d.o. .o.k.r.e.[.l.o.n.e.g.o. .p.o.w.y.|.e.j. .o.p.r.o.g.r.a.m.o.w.a.n.i.a.,. .j.a.k. .r...w.n.i.e.|. .n.o.[.n.i.k...w.,. .n.a. .k.t...r.y.c.h. .z.o.s.t.a.B.o. .o.n.o. .P.a.D.s.t.w.u. .d.

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1046.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (493), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11036
                                                                                                                        Entropy (8bit):3.5112797883880504
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:1ZBmsLk1avONKePZfwNcem/NfAJmpXjgp:Lbk1aqKe5i0Tgp
                                                                                                                        MD5:FA3D3FDAA9E8578CC7655513917E9275
                                                                                                                        SHA1:ACA28ED87B06300FBDE2BCAF199667C3C24A46B7
                                                                                                                        SHA-256:FD3606645563B8772F3F4E4E2F8262F4E6B66C389B605B3EC1147032A5C93EB0
                                                                                                                        SHA-512:11AF14735EF60735C57BAA6FB82B08AE4AC373B74719D30589B8FA23D97255584B3BF5EB1447F8597FCF31A4408C525E5AE318C2CE1DB974214CEBE914A3AD25
                                                                                                                        Malicious:false
                                                                                                                        Preview:..L.I.C.E.N...A. .P.A.R.A. .U.S.O. .D.E. .S.O.F.T.W.A.R.E. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........E.s.t.a. .l.i.c.e.n...a. .r.e.p.r.e.s.e.n.t.a. .u.m. .a.c.o.r.d.o. .e.n.t.r.e. .a. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.u.,. .d.e. .a.c.o.r.d.o. .c.o.m. .o. .l.o.c.a.l. .o.n.d.e. .v.o.c... .r.e.s.i.d.e.,. .u.m.a. .d.e. .s.u.a.s. .a.f.i.l.i.a.d.a.s.). .e. .v.o.c..... .P.o.r. .f.a.v.o.r.,. .l.e.i.a.-.o.s... .E.l.e.s. .s.e. .a.p.l.i.c.a.m. .a.o. .s.o.f.t.w.a.r.e. .a.c.i.m.a. .i.d.e.n.t.i.f.i.c.a.d.o.,. .q.u.e. .i.n.c.l.u.i. .a. .m...d.i.a. .n.a. .q.u.a.l. .e.l.e. .e.s.t... .c.o.n.t.i.d.o.,. .c.a.s.o. .h.a.j.a... .A. .l.i.c.e.n...a. .t.a.m.b...m. .s.e. .a.p.l.i.c.a. .a.o.s. .s.e.g.u.i.n.t.e.s. .i.t.e.n.s. .d.a. .M.i.c.r.o.s.o.f.t.:....." .a.t.u.a.l.i.z.a.....e.s.,....." .s.u.p.l.e.m.e.n.t.o.s.,....." .s.e.r.v.i...o.s. .v.i.

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1049.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (706), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):13568
                                                                                                                        Entropy (8bit):3.9464247122507095
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:RyqLJFBOFQAfOJIL9OedKezOzMy0sXF971v1rp20:1LLV1rh
                                                                                                                        MD5:8A394C6CD71EC3397391088F851FAB83
                                                                                                                        SHA1:6F4DC77AAF813F8189B44B6F630B715F2F90139A
                                                                                                                        SHA-256:F75B6CEF3E1503951FF417F0FDC58F22455B548B324A30847AB987C55FE4C068
                                                                                                                        SHA-512:D2E5117C30BF7BC3BCA65D8CA00D845FB8A827EBEE57B90559BDDDD4515CADF8AC04D015872420B9543BF66D32BA5C1D3C28CB9BBE654DD5D67E4857648CB3DE
                                                                                                                        Malicious:false
                                                                                                                        Preview:..#.!........./. .....&........... ..... ...!.......,............... ... ..... ............... .......!.....'......./. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........-.B.8. .C.A.;.>.2.8.O. .;.8.F.5.=.7.8.8. .O.2.;.O.N.B.A.O. .A.>.3.;.0.H.5.=.8.5.<. .<.5.6.4.C. .:.>.@.?.>.@.0.F.8.5.9. ...0.9.:.@.>.A.>.D.B. .(.8.;.8. .>.4.=.8.<. .8.7. .5.5. .0.D.D.8.;.8.@.>.2.0.=.=.K.E. .;.8.F.,. .2. .7.0.2.8.A.8.<.>.A.B.8. .>.B. .<.5.A.B.0. .2.0.H.5.3.>. .?.@.>.6.8.2.0.=.8.O.). .8. .2.0.<.8... ...>.6.0.;.C.9.A.B.0.,. .?.@.>.G.B.8.B.5. .8.E... ...=.8. .?.@.8.<.5.=.O.N.B.A.O. .:. .2.K.H.5.C.:.0.7.0.=.=.>.<.C. .?.@.>.3.@.0.<.<.=.>.<.C. .>.1.5.A.?.5.G.5.=.8.N.,. .2.:.;.N.G.0.O. .=.>.A.8.B.5.;.8.,. .=.0. .:.>.B.>.@.K.E. .2.K. .5.5. .?.>.;.C.G.8.;.8. .(.5.A.;.8. .>.=.8. .5.A.B.L.)... .-.B.8. .C.A.;.>.2.8.O. .@.0.A.?.@.>.A.B.@.0.=.O.N.B.A.O. .B.0.:.6.5. .=.0. .;.

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.1053.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (499), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11054
                                                                                                                        Entropy (8bit):3.5454751210142135
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:B7VbHl7VX7kMWtxHdkzreZO3rM/O0qZ274c27jUMUojx/nA:dBBtR8wreY7rUoA
                                                                                                                        MD5:F6DA06C04CC888FFC190DF464D840B8B
                                                                                                                        SHA1:D17C109D722F646F322854D6C75C8738C957C84F
                                                                                                                        SHA-256:7CF957BA3B9F5F0E7D9FF36B5D607218A95B4C08CBB7EC8E771AE2BB24F00F91
                                                                                                                        SHA-512:8D4003E52BF2BA592E94AB0B047F4B6E2B3782F52FB22DD0F5B1F6D1D936149E77A66EA409F2DFBCE792EAA1D44098D070F8ACE023789D22CF36D3CC91F3F8A1
                                                                                                                        Malicious:false
                                                                                                                        Preview:..L.I.C.E.N.S.V.I.L.L.K.O.R. .F...R. .P.R.O.G.R.A.M.V.A.R.A. .F.R...N. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........D.e.s.s.a. .l.i.c.e.n.s.v.i.l.l.k.o.r. .u.t.g...r. .e.t.t. .a.v.t.a.l. .m.e.l.l.a.n. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.e.l.l.e.r. .b.e.r.o.e.n.d.e. .p... .v.a.r. .d.u. .b.o.r.,. .e.t.t. .a.v. .d.e.s.s. .k.o.n.c.e.r.n.b.o.l.a.g.). .o.c.h. .d.i.g... .L...s. .d.e.m. .n.o.g.a... .D.e. .g...l.l.e.r. .f...r. .o.v.a.n.s.t...e.n.d.e. .p.r.o.g.r.a.m.v.a.r.a. .o.c.h. .o.m.f.a.t.t.a.r. .a.l.l.a. .e.v.e.n.t.u.e.l.l.a. .m.e.d.i.a. .s.o.m. .p.r.o.g.r.a.m.v.a.r.a.n. .l.e.v.e.r.e.r.a.s. .p..... .V.i.l.l.k.o.r.e.n. .g...l.l.e.r. ...v.e.n. .f...l.j.a.n.d.e. .p.r.o.d.u.k.t.e.r. .o.c.h. .t.j...n.s.t.e.r. .f.r...n. .M.i.c.r.o.s.o.f.t.:....." .u.p.p.d.a.t.e.r.i.n.g.a.r....." .t.i.l.l...g.g....." .I.n.t.e.r.n.e.t.b.a.s.e.r.a.d.e.

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.2052.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3846
                                                                                                                        Entropy (8bit):6.499727744183225
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:X8FCWwwqlvanfFoz6BtIbBCB4jPzkGhuJNCPa:ywwEanfFyYB4jPzkGhuJNr
                                                                                                                        MD5:E4F87C9574925A140374866A97985EB7
                                                                                                                        SHA1:D75F7DCF66317650BE2AC21B6AF5D4D469E68A66
                                                                                                                        SHA-256:B7356FCB5DEB6F7D592D9093949E9D958062A23660381FA7E3D4434BBDFB7F75
                                                                                                                        SHA-512:4624487D2E6FF574BADE4DC642B2CDD4D8D3A2650BCED2C4AB4DB80D8F092D95B25BA5C6AAAE3A4FD68FCA2DF5CC484181020B24A36EC4B10B37F447ECE27C6F
                                                                                                                        Malicious:false
                                                                                                                        Preview:..M.I.C.R.O.S.O.F.T.o..N...Sag>k....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .F.O.R. .T.H.E. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I.O.N. .4...0. .R.U.N.T.I.M.E.).........,g...Sag>k/f .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....b.`@b(W0W.v .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .sQT.lQ.S...N.`KN.....b.vOS...0......,gag>k.v.Q.[.0,gag>k..(u.N.N...T.y.vo..N..vQ-N.S.b.`(ueg.c6e.o..N.v.ZSO....g...0,gag>k_N..(u.NM.i.c.r.o.s.o.f.t.:Ndko..N.c.O.v..d.^..N...Q.[D.&^.gvQ.Nag>k........" ..f.e.0...." .e.EQ.0...." ..W.N .I.n.t.e.r.n.e.t. ..v.g.R.T...." ./e.c.g.R.....Y.gnx.[D.&^.gvQ.Nag>k...RvQ.Nag>k.^..(u.0.....N.e.O(u.o..N...Rh..f.`.c.S..Nag>k.0.Y.g.`.N.c.S..Nag>k.....N...O(u.o..N.0.....Y.g.`u..[..N...Sag>k...`.\wQ.g.N.RCg)R.0....1... ..[..T.O(uCg)R.0.`.S.N(W.`.v...Y.N.[..T.O(u.o..N.v.N*NoR,g.0....2... ....S...V.0.o..N.S.c.N.O(u...S....^..Q.U.0,gOS...S.c.N.`.g.N.O(u.o..N.vCg)R.0M.i.c.r.o.s.o.f.t. ..OYu@b.gvQ.NCg)R.0d.^...(u.l._.~.N.`.f.Y

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\eula.3082.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (573), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12638
                                                                                                                        Entropy (8bit):3.4699965008419484
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:KgwKAgOBbaMJ/Gz8nfj1rp4zdYi9+uKYKBn9nTU12K8D3dbuZVSdYT+qCcHd3aIQ:ShGz87j46dKrJi+oj9puTyPUV2G3D4n
                                                                                                                        MD5:2D5E3482ABDC63619421C9BD38E7BA5D
                                                                                                                        SHA1:6F5FD0FA20EF1B621CFEE4257DC71E5967215633
                                                                                                                        SHA-256:8F8AB652D81D3142101177FDDE9C02D8F0C00CC0E0DEB75934785F592375F148
                                                                                                                        SHA-512:9939F85CAF5DCCFC224C281D970EEE22C6182BF57761B98BDD4C3F74FFC0B7700DA34E6CD497153AA878EFB8D140AAB06AD7A2EB7BA009C9629DFB65982E9FE2
                                                                                                                        Malicious:false
                                                                                                                        Preview:..T...R.M.I.N.O.S. .D.E. .L.I.C.E.N.C.I.A. .D.E.L. .S.O.F.T.W.A.R.E. .D.E. .M.I.C.R.O.S.O.F.T.....M.I.C.R.O.S.O.F.T. .V.I.S.U.A.L. .S.T.U.D.I.O. .T.O.O.L.S. .P.A.R.A. .M.I.C.R.O.S.O.F.T. .O.F.F.I.C.E. .S.Y.S.T.E.M. .(.V.E.R.S.I...N. .4...0. .R.U.N.T.I.M.E.).........L.o.s. .p.r.e.s.e.n.t.e.s. .t...r.m.i.n.o.s. .d.e. .l.i.c.e.n.c.i.a. .s.o.n. .u.n. .c.o.n.t.r.a.t.o. .e.n.t.r.e. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n. .(.o.,. .e.n. .f.u.n.c.i...n. .d.e.l. .p.a...s. .e.n. .q.u.e. .u.s.t.e.d. .r.e.s.i.d.a.,. .u.n.a. .d.e. .l.a.s. .s.o.c.i.e.d.a.d.e.s. .d.e. .s.u. .g.r.u.p.o.). .y. .u.s.t.e.d... .S...r.v.a.s.e. .l.e.e.r.l.o.s. .d.e.t.e.n.i.d.a.m.e.n.t.e... .S.o.n. .d.e. .a.p.l.i.c.a.c.i...n. .a.l. .s.o.f.t.w.a.r.e. .a.r.r.i.b.a. .m.e.n.c.i.o.n.a.d.o.,. .e.l. .c.u.a.l. .i.n.c.l.u.y.e. .l.o.s. .s.o.p.o.r.t.e.s. .e.n. .l.o.s. .q.u.e. .l.o. .h.a.y.a. .r.e.c.i.b.i.d.o.,. .e.n. .s.u. .c.a.s.o... .E.s.t.o.s. .t...r.m.i.n.o.s. .d.e. .l.i.c.e.n.c.i.a. .t.a.m.b.i...n. .s.e.r...n. .d.e. .a.p.l.i.c.

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\globdata.ini

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3212
                                                                                                                        Entropy (8bit):3.5554609285205743
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:rU7j7276P7Q7rWQPKFBFe7ZE7+7Yg5X747LYkfYO:U/q6zUyAUu6iv5rsIO
                                                                                                                        MD5:7E29745BB901DAA24C6391F8DA54B399
                                                                                                                        SHA1:BE24A497828A051C65E5EAC58DF36E45A0F30DA1
                                                                                                                        SHA-256:0DA855F1FFF35AD6B627EB1C6D302D3DB6960E5EB60DCD1065DA187624D36AF5
                                                                                                                        SHA-512:16A52F79C28963ACC6FBA9DEF64B912155847332717E3D6E13A0309623768C16712B3667346597EFD720289FC144757768C60E0754F177C2CFC9554DCF039DAE
                                                                                                                        Malicious:false
                                                                                                                        Preview:..[.P.r.o.d.u.c.t.N.a.m.e.s.].....P.r.o.d.u.c.t.N.a.m.e...1.0.3.3.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .(.x.6.4.).....P.r.o.d.u.c.t.N.a.m.e...1.0.4.1.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .(.x.6.4.).....P.r.o.d.u.c.t.N.a.m.e...1.0.4.2.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e.(.x.6.4.).....P.r.o.d.u.c.t.N.a.m.e...1.0.2.8.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .(.x.6.4.).....P.r.o.d.u.c.t.N.a.m.e...2.0.5.2.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .(.x.6.4.).....P.r.o.d.u.c.t.N.a.m.e...1.0.3.6.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .p.o.u.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .(.x.6.4.).....P.r.o.d.u.c.t.N.a.m.e...1.0.4.

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):792728
                                                                                                                        Entropy (8bit):6.06909961626245
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:SjsYryw7kNihcR24YvI0g7iWxU0urSNsa+/Qpi2fncx9u6lB:XYrP7k8iuH4+GIgk
                                                                                                                        MD5:D2AC2D95581DB0D6B52757C2ED839E85
                                                                                                                        SHA1:E592B595B74955A58F2F871CF90CFC686DCD871B
                                                                                                                        SHA-256:14FCE0E16AF46F78FF399C98F2B937D40B3C3E6D8AD9AC9D5773BFCEB3049BBE
                                                                                                                        SHA-512:DF8F2EC89ABCD246ED13F6E61E859C253416C48BF8A1D860A9875BFE1AF3A2296F2BC7079B05653240A41CEFE9AFFE8D5A14FB83790664DA58200F3CE351D0C4
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=.f{n.f{n.f{n...n.f{n...n.f{n...n.f{n...n.f{n...n.f{n...n.f{n...n.f{n.fzn.g{n...n.f{n...n.f{n...n.f{nRich.f{n........PE..d...co.W.........."......,... .................@..........................................@.......... ......................................h?.......P..........lH...........`...... K...............................................@......89.......................text....+.......,.................. ..`.rdata..p....@... ...0..............@..@.data........`...B...P..............@....pdata..lH.......J..................@..@.rsrc........P......................@..@.reloc..l....`......................@..B........................................................................................................................................................................................................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.ini

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):13146
                                                                                                                        Entropy (8bit):3.458299984410832
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:e+bBI+eziLMDwETkLpJVXNG/aqWTD5a6wPfaI5aC:xbBpeqSypw3aI5aC
                                                                                                                        MD5:61CCEE94B07C323A2BEFB2D107BF4309
                                                                                                                        SHA1:28A0579785FF62CFBEB0315F3042510B0292A776
                                                                                                                        SHA-256:021ED1EF592805805AE6E3F8301C7360B0BE7634EFFEDF51FA471BC0C8CCF93D
                                                                                                                        SHA-512:C52A68782FDD9E23BD2A3C25C727BB3B1FEEE87FAD46F48C59633E4076DF74AAC19F84758128ABB0584623C8881AB8167C1C9FBDF36BB0EA6DBF3C7A0C630B7D
                                                                                                                        Malicious:false
                                                                                                                        Preview:..;. .T.h.i.s. .f.i.l.e. .M.U.S.T. .b.e. .U.n.i.c.o.d.e. .e.n.c.o.d.e.d. .a.n.d. .N.O.T. .U.T.F.-.8. .e.n.c.o.d.e.d.,. .o.t.h.e.r.w.i.s.e. .i.n.s.t.a.l.l...e.x.e. .c.h.o.k.e.s. .o.n. .i.t...........[.S.e.t.u.p.].....P.r.o.d.u.c.t.N.a.m.e.=.M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .2.0.1.0. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .(.x.6.4.).....P.r.o.d.u.c.t.M.s.i.=.v.s.t.o.r.4.0._.x.6.4...m.s.i.....P.r.o.d.u.c.t.S.u.p.p.o.r.t.U.R.L.=.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.D.=.1.3.9.4.6.6.....S.u.p.p.o.r.t.W.i.n.9.X.=.0.....M.i.n.N.T.V.e.r.s.i.o.n.=.5...0.....C.h.e.c.k.A.d.m.i.n.R.i.g.h.t.s.=.1.....S.h.o.w.F.e.a.t.u.r.e.O.p.t.i.o.n.s.=.0.....S.h.o.w.D.e.s.t.i.n.a.t.i.o.n.F.o.l.d.e.r.=.0.....L.o.g.F.i.l.e.P.r.e.f.i.x.=.d.d._.v.s.t.o.r.4.0._.x.6.4.....V.e.r.b.o.s.e.L.o.g.=.1.....R.e.b.o.o.t.M.o.d.e.=.1.....B.i.t.m.a.p.F.i.l.e.=.....C.u.s.t.o.m.T.e.x.t.P.r.e.f.i.x.=.....U.I.L.a.n.g.u.a.g.e.=.0.....U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.=.1.......

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1025.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):45736
                                                                                                                        Entropy (8bit):5.062351030831879
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:axO/Oa8qN0VePDXixFKLCBDXil4qu5yRRDFNXiQ+:axO/OaGePDXixUwSl4qSkRDFNX8
                                                                                                                        MD5:3481CC60626CB72B894D13D6A655BF13
                                                                                                                        SHA1:9DC47EB83B55A84A54F55DB03D57F3BC27D9F160
                                                                                                                        SHA-256:D43AA24D8EA2B548D6E1D787DA14CCE75D6E0F4F1BB8C7D7CC18F91C93078E44
                                                                                                                        SHA-512:349563E2B22B57F8DAA1D4A293DD4545F7C5D8EA5F1418789195447C7B30B0106A5BFC0EC8997ED6D53826FA8E36D9CEF07578084B1BBC9AF94A892F0D46FE00
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ................................................................P.....@.............................................................l............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1028.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32936
                                                                                                                        Entropy (8bit):5.746882227872104
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:ov/xRYLwO/JaZMmNg9u34ciia97NZeTiaWOUWhy36q0GftpBjcfPA:gVO/Ja2gx3av1Nk+66ki0PA
                                                                                                                        MD5:0C601DAD444BDF0C58CEAFA671BEF628
                                                                                                                        SHA1:C2F462124BADAFEF63A257D479241DCA9A6BB8CE
                                                                                                                        SHA-256:84C7F3F0AA2A749BF931CD6A832B46C434DA7E2B750B64E9B2240649D585F6B1
                                                                                                                        SHA-512:711FC6CBCC7A9DF0375F920A7033CAAC352BFDB4398D1887B8EF892AC74C5B934A94BB16B21CF90FD8F42F67B5EF1A16A3147B00B7A53B3038825F246E92CF82
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .........d.......................................................T....@.............................................................Hc...........f...............................................................................................rsrc....p.......d..................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1030.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):50344
                                                                                                                        Entropy (8bit):4.470125919928137
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:Rn3RYLf+O/L0aR0UiVTAv7UXn6eTODS6kQksW05UW3aCIc3q0GftpBjte8:Bq+O/IaR0tVTAjS6su7i3P
                                                                                                                        MD5:129015CBD620FA7DBDA9BDCE876B0D65
                                                                                                                        SHA1:9872A0FD0B1249D8FE6FC5BAA21A0610A2853C2B
                                                                                                                        SHA-256:D4D1FFEDDFECFF4933187A8FE2E215DADC8C70C7BA2BD2BD12F9304C8E7227A1
                                                                                                                        SHA-512:02FB382EAA55BB12C7D09E7E326587EA255FB707B3EA1E38004C1541668BD3AB253BBBFE97DA31F9934CF9C5FAC6AB47C63291CEEB2782B97EE3DC67F22082F5
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .................................................................;....@.............................................................x............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1031.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):53928
                                                                                                                        Entropy (8bit):4.436532581521845
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:muO/yNab5fDNh5T8fdXWohToh+ohvodoEugvhGKQG56KjtrE4HEruwr2U:3O/yNab5fDNPT8fdXWohToh+ohvodoEO
                                                                                                                        MD5:E42F6B340C6C27C0BDD3312C73B23E57
                                                                                                                        SHA1:E3021824C46E09812F3B9852C7BE8443D4FFAE40
                                                                                                                        SHA-256:F33E77BC556D67DEEE27BFC2C69E7560BBFF3ED04DE6DCB45E8CF751C7CA87F6
                                                                                                                        SHA-512:A6D4E065D474080C5D13A393BE761172EC96A606B14BBD66CE54EF4100A88618274A746B429494B89BC405347A5223D5C77096A75EAD90342A1559B344CE7637
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .................................................................A....@..........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1033.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):48296
                                                                                                                        Entropy (8bit):4.4173941835656585
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:SnMWxUW7O/iaqnrPy9YmhjHs429cCyuirvIGP+igty/+umE9rvvPUz//nn6MNibE:SLBO/iaqexK6UMQiAr
                                                                                                                        MD5:8C83DF42AF6C850F758D8B43D8A058FE
                                                                                                                        SHA1:5B775ACE433DB2F270C0EE798E7DBD3DA337DEEA
                                                                                                                        SHA-256:968BA1F17D1155F69E2717001EB820C506A981E8E26654D6E5EDB08B48EE8123
                                                                                                                        SHA-512:409DF7DD28CE137B8CCC132CBADA901FDB4AEEB5E7D0C59098B0BE286034FB07C91108635B88AB44C8C76887C108551990F136AEA2E3F3EC0F0B2A973D52C8A3
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ................................................................Y.....@..........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1035.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):49320
                                                                                                                        Entropy (8bit):4.445758536014717
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:2PHRYLjO/Njah2Sha9NUJaSvdr+0JuyXpng8c/wGgqwEWhFBW9UWJaCIc3q0GftN:+kO/xah2B39YSy7pn6/8hnoZiQM
                                                                                                                        MD5:66BBD942827EF6795902CA697F67B1E4
                                                                                                                        SHA1:19451B896B167BDC5B3D15B3FA4B29230512ED1E
                                                                                                                        SHA-256:D8A8664B3CBC52E9242EB319D6F9A9B265B0154C2614ECF90F4983D774D92FD5
                                                                                                                        SHA-512:28A5100B0E16C1E31CF92266C7C5839A8983B146763010C60EB8F4B3175BD271507F895F601BF0462BF486ADDB21D9C94FE2327C66495EDCE6E77B95358FC08F
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ................................................................N.....@.........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1036.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):54440
                                                                                                                        Entropy (8bit):4.404258423359341
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:hf9RYLUO/PaXpZNVr1gy/1GCH4BXbmu9uqnsJIHeuFVUwP9ZdLrNgyNgAHUcF+8z:5lO/PaXpZRg41isJafbfgN8zviLC
                                                                                                                        MD5:A3109A9AD26BA92914A92B32EF148DA0
                                                                                                                        SHA1:746CDD52A17C777E423E45AEA70884EE3617A50C
                                                                                                                        SHA-256:57F3AEEBD81CC6DB17A7F3A3E7E4B6225D9CC4F481943CAD085AA5ABC35ACAF5
                                                                                                                        SHA-512:D69556139B1F7DA098AC76DDFEDDA11D92DAD199A5C16EC6EEC7F4A0E6AF676F4A05675BDCC036AB72D7F2A72E4918805551F7B727A34ECD441C776C178F632D
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ................................................................{R....@..........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1037.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):43688
                                                                                                                        Entropy (8bit):5.1194883050998365
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:HnIRYLrd4zR7/OeR74l5K6W/Xf0tEJzXy0LEvisgRWpUWmaCIc3q0GftpBj4:HFd4zR7/54WVf02JzzIqrkIiq
                                                                                                                        MD5:CF69682175090ABFC0B9CEBD4CC40335
                                                                                                                        SHA1:59A11C03D1CDE57E964445B3A0A68748B4B3706F
                                                                                                                        SHA-256:368C2ADACC0C674D1F742490617E71DD22D93127591A8FB00298E16FCA48AE4A
                                                                                                                        SHA-512:55AD3A31FDFA20FAABC4BBBA1C6E04419131E7C613CD64845BA1CAF992A92FE2B5F9888B6676656E90E940C19D1573DDD41C1CCF51B54E597106CB3D61F41C9C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ......................................................................@.............................................................$............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1040.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):52904
                                                                                                                        Entropy (8bit):4.399710337546162
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:iTDQRYLxO/2aduf/7pBxw267DbkWhqK+plHho5kI7WaUWQaCIc3q0GftpBjJl69:uDjO/2adCWbkWhqKxkOeijl69
                                                                                                                        MD5:268233FDBDC6E59C4D24906088D5041A
                                                                                                                        SHA1:F0940E01C229766FFF2340B4044E5C4045F84B0C
                                                                                                                        SHA-256:6E1D9396863ADD2E1E1C52499BA98DEF053F3B9775D79F7E4EE020DA5220317B
                                                                                                                        SHA-512:90FB2778258441E4E23153217CDB90A7262990D585A507BB0D8D5898F22724CD7BB856CDD27CD92093CF155394C6E442AA0F2BA19761AFFE5D980E976CA1CA41
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .....................................................................@.............................................................l............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1041.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):38568
                                                                                                                        Entropy (8bit):5.558295085602389
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:ffn8RYLVO/9a4dnN4DJyXeM3cEjf6frTseeHYS7KBeDBW7c7PpWeUWPy36q0Gfte:33O/9a45N40XQEjif3+BW7cD0kiA
                                                                                                                        MD5:AD734806F4812A6F7D71E9871CCB220D
                                                                                                                        SHA1:A3B081C226EC11EC9976A271D63E600A1BB8AD9C
                                                                                                                        SHA-256:43229EFF1684D081D1A1113768C745487A25A422EF351B836EEE3EB8B8F5E325
                                                                                                                        SHA-512:CC478E639FDFB2F79209D603BCBC1D92EAB62D9226F87D1E032BB0B957E463482783029A6F45DFD90AB6E01A4796444A91E5CE3F645B2E6D0D2DE599CA389043
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .........z............................................................@..............................................................y...........|...............................................................................................rsrc............z..................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1042.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):37032
                                                                                                                        Entropy (8bit):5.705399423756048
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:AnjRYLOO/iVga5hgnaKWl5t87byoppEThPpIgGxO+xOL/xOBDB3PLj5uqCQSCBYN:ARO/iea5yy5IelPpDEpq2X6lia
                                                                                                                        MD5:EAA3A5C19557977A318BB27A5CD8833B
                                                                                                                        SHA1:D75E57F4C0B305B1610FFB1E545387002EB73A56
                                                                                                                        SHA-256:746DE4DDE78CCC16E6E4DD15E1A36D62A7D4FA9D74D85940BF99AA04459CCF1E
                                                                                                                        SHA-512:0F346163245EE530578FAE13DE7238DF96D52BEF44397DB4411ECBC4972A4CEDE32D610D4D4DAEC787EE91CCAF9014E04433D1D960E021B626784302658F840D
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .........t...........................................................@..............................................................r...........v...............................................................................................rsrc............t..................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1043.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):51880
                                                                                                                        Entropy (8bit):4.4300236950336425
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:wNO/2aLQqb5IZWBL6xmY4AVh3TarMFi+m:wNO/2aBb5IgBL6xmY4Sh3TarKO
                                                                                                                        MD5:F5517017600E899CA404422461B7FB8A
                                                                                                                        SHA1:819124B69C830690433A9FE1D553573DD7A062F9
                                                                                                                        SHA-256:86A1191AF8FD5D476DF8210476A6F4097A7F23E2596DB79B18CC9ABB16DA58B4
                                                                                                                        SHA-512:9700A7BEFFEA5DF04344A25EF731272C6DE58D8C1024E5E40754D0D729DBDF56D918B017227FD36DF15B04944D8146D19385EFDA5A9122536D728A2A2D67B0EF
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ................................................................i.....@..........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1044.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):49832
                                                                                                                        Entropy (8bit):4.464232538419014
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:D1Gw5xO/ZnaDkIMA6Q7wMN1c94EYTrQ6sNkDtJii:D1Gw5xO/ZnaAIT6Q7wlCEYP2kDXb
                                                                                                                        MD5:CD8D886CD68925F95C114C3FA21ED94B
                                                                                                                        SHA1:CEAFBE9A40508A78CAC3C86BEB47F21AE24321E5
                                                                                                                        SHA-256:FDDBDF844B3190CBB1F251CCE4FC607E9B30AD8676FF6CD8123CB3780FFD97C2
                                                                                                                        SHA-512:656BDA40F2BAC24502BF5ABDA35A36E2C3FD252CEAE1E8FEF0A68F8F2CF67E3957BBE357815FEA153A1B7C06AF164DE824499EAE108244272683E60AD37C4B38
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ......................................................................@.............................................................,............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1045.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):51880
                                                                                                                        Entropy (8bit):4.573380965767125
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:ioO/hant9V1iWerIcGWQW4uuHuqILBE8y3dqiyJ:ioO/haOX2tuAdqZ
                                                                                                                        MD5:AD8E8D3CCC42F8976A7BBB4D8A9EC293
                                                                                                                        SHA1:A6A88E0BAB7E4C4B24614A39AF347F93A6D9EEBD
                                                                                                                        SHA-256:442FA90E501CDD28F0207F96A86AD8FBE6A21533962A75792EA5FCB1C2C83B72
                                                                                                                        SHA-512:5177002CBCFBF40B8D3B66CF91D94E7E67153B1C3113061351462334D64B8150DCC96A9DC6558D8387C44574684E6ACCC9CF209477444996487CE1C7A9F3D7A9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ................................................................(]....@.............................................................<............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1046.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):50344
                                                                                                                        Entropy (8bit):4.471039723806081
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:Mn/RYLXO/Ha5CWf4cWvWYzazB0+ZrYhNyLErgrqpRqvSID39WUUWnaCIc3q0Gftm:MQO/Ha5C32tzMAwkK4Dis
                                                                                                                        MD5:7C71C36D2BB0566BFB6293FFF858D874
                                                                                                                        SHA1:C30A8BFEF9755B6AE0283E3438330378E127DA63
                                                                                                                        SHA-256:63B9E6AB7734EDD1E21AD1F2C23736CFF08233A4146ABC6B51B53AFDA186BD64
                                                                                                                        SHA-512:AE8AE09CA0B6127371DE6343B8AB222E2C4F75D5B9F97EF2D846EC4E21C63B1789A024A336768043A2EDC0CF8D1D43B3B4A486C027325FC6214E2E180131623C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ......................................................................@.............................................................\............................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1049.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):50344
                                                                                                                        Entropy (8bit):5.011211165315562
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:NnNRYLShzO/WdkYB8sXUJlc0ih/hRYKtWdDFzUWZQpbEq0GftpBjuzo:9RO/ckYB8XJu0G7tWd53Jikzo
                                                                                                                        MD5:A78353780B2EC82F8103C0D57A8E1771
                                                                                                                        SHA1:1F6A0184AB0CDF6F3CE8E1972514D1F7CD5D01CD
                                                                                                                        SHA-256:5796AD08D023F9ADFD870FDBE079D3A819502B57082DFAD90C86AB177603DD5E
                                                                                                                        SHA-512:0E3783171BED0FBC9B68A9C1752F7B5F030B5E777D510D0936D132FDEEA82A8CC0B371C2F15C444589A175F0F64D486ABC0E0A350B483F5956C5B6663E8BC7B7
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .................................................................N....@.........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.1053.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):49832
                                                                                                                        Entropy (8bit):4.48993308396799
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:IydOGO/FnaZkz078Fo0SS1OS/q+GFCsBSixJ:IydOGO/FnaSzAUo0SSOS/q+yCsBSW
                                                                                                                        MD5:151161B0025AFC00F9B8A1881D11B582
                                                                                                                        SHA1:38253EDC3CE268F68A3EB2ABF1C82D7003B6AB8E
                                                                                                                        SHA-256:8BBAEC743F8DF8E3273EBD4378C9DD3F84B0474F4D878CE27CB847B662CEB740
                                                                                                                        SHA-512:3D340909A2B37807B46A94416BD3FED7B7F4CA1E26857F2CDC8E586E88484BCF7301128C396DFE20A6C64BD3446FFD68E0F6F57FAD493DFABB5D9A31D0BFC11B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." ......................................................................@..........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.2052.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32424
                                                                                                                        Entropy (8bit):5.728182779024484
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:QPPRYLFFkdx3p4UR75djtQcmSkpOQHW5UWaaCIc3q0GftpBjR:4QFkd5p4a9QcmSkZGIi/
                                                                                                                        MD5:64CDAA4721C6CCBAFD6D2A4E8BD837B1
                                                                                                                        SHA1:6ECD61D137E0EFED59562234A93C6B0952BE4C36
                                                                                                                        SHA-256:80EF35953C1686B68F24C8F0155B44055F607AA47D54AB4B8A263A7B434E2050
                                                                                                                        SHA-512:D4B8E517456C164D928A127775A954A492BB533F3C49574B345D82927CFD42DAE7575470190E79272D9B3AC935BF8B07C3FFC6F26EEB13E854726BB5F175E88C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .........b......................................................k.....@..............................................................`...........d...............................................................................................rsrc....p.......b..................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\install.res.3082.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):53416
                                                                                                                        Entropy (8bit):4.356280752864515
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:yntjRYLhO//aTA+xNN1LeLx++8Ly1UemNQ/KDe5FpRNmWkUWU8y36q0GftpBjlK:yAO//aTA+p1LeLx0LB8uenpIgkibK
                                                                                                                        MD5:EDD4C71DF8EEE3D81D9AAA2338EC8ECE
                                                                                                                        SHA1:4090F1ACCE1D7BB01785CF3D3305E699C9A2C321
                                                                                                                        SHA-256:5A24D09C7DAB6250578840AFBF6EB8F008A22C200AB44CC73ABFA69C04ED62D7
                                                                                                                        SHA-512:F3F708A039EDD985E53FCEC23AE25E71A23511174352FDC2B043754CC6C18FBEB85B9A7399684B4CDCDA4DD7E17588FFD8B5F63ECAA786C06420686BB4412D27
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..d...^o.W.........." .................................................................C....@.........................................................................................................................................................................rsrc...............................@..@....................................H.......`...............0.......H.......`.......................................................................................0.......H.......`.......x...................................................).......*.......+... ...,...8...-...P.......h...;.......[.......\.......h...............................................]...................................(...1...@...2...X...3...p...4...............................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\vstor40_x64.MSI

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Visual Studio 2010 Tools for Office Runtime (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual Studio 2010 Tools for Office Runtime (x64)., Template: x64;0, Revision Number: {011224A3-6FF2-4548-95B2-8E1F0DCB33F9}, Create Time/Date: Thu Aug 25 05:31:08 2016, Last Saved Time/Date: Thu Aug 25 05:31:08 2016, Number of Pages: 300, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):565248
                                                                                                                        Entropy (8bit):6.203300395032623
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:v0jV7krae+YhOLvd0JYqhwMMDjTUsxKCCDjzsn9v/AlyYFTwSoT5jdSAPLQmlY1Q:vwGfSvd02qhwMMDpUpsh/Ak/7DlYu
                                                                                                                        MD5:CB7DF3525C2FBDB02ADF3CCD4A4C9432
                                                                                                                        SHA1:E070E83A52A4CD6F57E85F6CB3C52BFB82F68429
                                                                                                                        SHA-256:3789F88A27EBD9C8157BC40E8AACD64129EFDF0354F5CDFC7C2212EF37251221
                                                                                                                        SHA-512:69CE2534802802337070EC96CF124488558878B8816C5584B03FB27CC568D7F6FB9001CB576F0E8583DD5578943823D2508CB14741D832DBB0B6F834F359080F
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)\vstor40_x64.cab

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Microsoft Cabinet archive data, many, 2098198 bytes, 84 files, at 0xdc +A "ActionsPane3.xsd_x86.3643236F_FC70_11D3_A536_0090278A1BB8" +A "AppInfoDocAddInsStoreFile", 20 cffolders, flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1503 compression
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):2105054
                                                                                                                        Entropy (8bit):7.999700742986995
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:49152:HXbGAy9XMAQXGnZkn8SFJ1FxrSO/sh6b9s1FDC2:H6vGXpnhL1FxK0h4FR
                                                                                                                        MD5:929578861CE75212462D6949657F8EEA
                                                                                                                        SHA1:DA34712AA9E9A98E6C0F4C30B597CAED1F39BA38
                                                                                                                        SHA-256:102488FEE2E99AD2F90E29FA13805ED7D04397619698D1DB9EAEFEF67E13486E
                                                                                                                        SHA-512:A074BA6F7A690E639A70BEB340E810C962C400EA286CFA11C9FD11A4BFDB00AE19C94EA614A56E4D92DEA2E83170B42E1AB421FF3B138B5AFDD9FFFE3509918F
                                                                                                                        Malicious:false
                                                                                                                        Preview:MSCF...... .................T................. ..............................>......@N.......x..7.... .......b..............N...$...NF.......,.......S...............................a..............(...................*..............I. .ActionsPane3.xsd_x86.3643236F_FC70_11D3_A536_0090278A1BB8.&..........I.. .AppInfoDocAddInsStoreFile..b.........I. .FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_GAC_amd64..b.........I. .FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_Pipeline_amd64..V.........I.!.FL_Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll_GAC_amd64..V.........I.!.FL_Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll_Pipeline_amd64......V.....I. .FL_Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10_GAC_amd64.enu............I..!.FL_Microsoft.VisualStudio.Tools.Office.Contract.dll_GAC_amd64............I..!.FL_Microsoft.VisualStudio.Tools.Office.Contract.dll_Pipeline_amd64..`.........I. .FL_Microsoft.VisualStudio.Tools.Offic

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):98976
                                                                                                                        Entropy (8bit):6.152881272233491
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:Akv57OsX2T3TH0XzZP1Pwe8UXDCqCW17EM9laefT8:f57L2DTH0Z1Ie8YDNvaM8
                                                                                                                        MD5:726077810DEB0BB776A765807B7ACEBE
                                                                                                                        SHA1:C50053239D2611CC9F950D6D0A7944FFAF670744
                                                                                                                        SHA-256:FF5C14A2793F606E13D4CD08478BADCECEA195799EFB33358405720BA536A64B
                                                                                                                        SHA-512:BAF6F43825EE89DB994201EFAD11745D9639B43DF60302D9741B3B1B07535BC171A4E1F277AE0F1E8675396A4083E3E33B6CCF09BCF79100EF3D55D655C837D7
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........I..I..I..&.t.e..&.u....&.A.C..@.L.F..I..-....p.A....E.H....B.H..RichI..................PE..d...To.W.........."..........z.......@.........@..........................................@.......... .......................................A..................0....h..........X....................................................................................text...*........................... ..`.rdata...K.......L..................@..@.data....9...P.......:..............@....pdata..0............N..............@..@.rsrc................\..............@..@.reloc..\............b..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):365720
                                                                                                                        Entropy (8bit):6.076210341866302
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:zp7LhftuUCqANZ6b9uRGCi9S7brMpAzImEHHbHm/O37U:5IqANsb9utbZaVU
                                                                                                                        MD5:B3586D4E357F8CC88E989E53C74D34FA
                                                                                                                        SHA1:CE16FBEE3F79CDAA51A874D487CE88ACE6CA46A9
                                                                                                                        SHA-256:20167512E5331F32CECBAD0C979CE7587DB4E3BF03B4CB1F65960495168B71E1
                                                                                                                        SHA-512:C8EC2C7FEF7AF333F4E2775786DE64861536B4C94954C8A2E154DF1258B5C35FDF3BE365701BCB22CBE8E304C677F9912713A9ACE3AD8D06ED1A877E8BDF4CC3
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Cw.."..".."...T.."..p.."...T.."..Z.."...T.."...l.."...T.."...T.."...T.."..Z..".."..#...T.."...T.."...T.."...T.."..Rich."..........PE..d...Oo.W.........." ................d..........C..........................................@.........................................@2..........T............P..<*...z..........\...p................................................................................text............................... ..`.rdata...C.......D..................@..@.data........@......................@....pdata..<*...P...,...&..............@..@.rsrc................R..............@..@.reloc..6............f..............@..B........................................................................................................................................................................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):48816
                                                                                                                        Entropy (8bit):6.05563444514686
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:8zzEFwbcyf64hHAikazzuB5aTPvDwN4op/pJOVS4QI48WAE8mTfvPKi:Ktf6VikAO58PvDwN4cRJcSKYAExfa
                                                                                                                        MD5:211F5FED028B52B38089746794DC17C4
                                                                                                                        SHA1:73F1B3308F714ADB3C920D088CFFE4A032550E8F
                                                                                                                        SHA-256:B64C047BA763E8AC0D20AC51D111BCB0EDE0DB8A646F386C98E668C9B91FDF36
                                                                                                                        SHA-512:1E88437ADD8B2B3425446FF0A4A8ED29F7DEBC3E9B04373C81A5AAF0658FBE1AE7F3FAB5900855F061865ED035883EDCA25F9488870E7D7ABE0A44C12057CF50
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... @..X... G.X... Q..X... W..X...X..X....P..X...XS..X....U..X..Rich.X..................PE..d...Po.W.........." .....^...R......l..........C.........................................@.................................................8...(...................................@r...............................................p...............................text...{\.......^.................. ..`.rdata.......p... ...b..............@..@.data...x ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):166544
                                                                                                                        Entropy (8bit):6.077147420941168
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:6/71j9gfwJTxt+TqXBYPmkvqNh0eQxUWSDjKvY:05gfQTUKBYOkE9Dj5
                                                                                                                        MD5:AB5F2E761CE188D5F395B781ECDFC5AE
                                                                                                                        SHA1:A97CD632DC2D637978334F9D4C50C8817118F6D5
                                                                                                                        SHA-256:6E6667734AE7E582AABBDCC7DED242E62254208B249972C348886D466587B95F
                                                                                                                        SHA-512:EA9C22E7E6AA18CC387230469367C75C633B205C4E554AF696BA8077361BEB19000ECE78AE6406BDEEF6BEBE1CDCF176622BD7536A54FBEA1A25C9FF3B92B525
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&.].H.].H.].H.:h._.H.:h.\.H.Tf.X.H.2h.v.H.2h...H.2h.W.H.Tf.L.H.].I.3.H.:h.S.H.:h.\.H.:h.\.H.:h.\.H.Rich].H.................PE..d...To.W.........." ................T..........C....................................x.....@..........................................4.......)..........p....p.. ....p..................................................................h............................text.............................. ..`.rdata..............................@..@.data....%...@......."..............@....pdata.. ....p.......4..............@..@.rsrc...p............L..............@..@.reloc..V............h..............@..B........................................................................................................................................................................................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):17048
                                                                                                                        Entropy (8bit):5.970919943177378
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:GNoo2r0O6rUkxDv3X96XWLOWgPBfLeuDBks/nGfe4pBjSrFqI:GNoUO6rDxDPt6XWLOWkD5q0GftpBjZI
                                                                                                                        MD5:1B722F433069E623E61E9C276F7B2533
                                                                                                                        SHA1:97DB41DD449799834E913D3B5E0651BCA6BC4E02
                                                                                                                        SHA-256:AB16B1911A6A0B46854DE18C309A22945D672DF21A7BD3F08099E0693B6ABF4C
                                                                                                                        SHA-512:A36B5F6FC36ED587C3A1A3C9FAF9160C72D501E1920CE06A9A5D9D9730F5DE285B40B73EF17D16387B3C32255CC0BC73AB49E095417238AEC4304ED285AA47FC
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z.e..p...p...p.......p...p...p.......p.......p..."...p..."...p..Rich.p..........................PE..d....n.W.........." .........................................................p......Fm....@.................................................@"..<....P..D....@.......(.......`....... ............................................... ...............................text............................... ..`.rdata....... ......................@..@.data...X....0......................@....pdata.......@......................@..@.rsrc...D....P......................@..@.reloc.......`.......&..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):22680
                                                                                                                        Entropy (8bit):5.56831197714251
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:i1xRZdZbrYxN6vywWWLTwpeRW/TK+k4mutF3mWmllIgWMyCGW/CaCIc3q0GftpBg:G7rQ+3LTPReTK+PmKFWwCnSii3
                                                                                                                        MD5:921E768D4E9B64297AF34F22BB8D9BE8
                                                                                                                        SHA1:87F2D48D61529B884A9C13C6E17689474E547BC5
                                                                                                                        SHA-256:60691B860BDDA9C24911B4F13129DC7A4F4D8F34F59D9FC756E7644549189E9E
                                                                                                                        SHA-512:2F5E2C05B815B99D73964A9C1ECFA7246BA1182D1048D9FFCF592334A0E7B9E954C9507AAF30E21988E8A2C4FD0296A362008670B984F4F8087F7A7AB090BA73
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........zlU..?U..?U..?\..?W..?:..?V..?U..?C..?:..?]..?:..?W..?2..?T..?2..?T..?RichU..?........PE..d....n.W.........." .........0.......................................................P....@.................................................8"..<....P..P"...@.......>............... ............................................... ...............................text............................... ..`.rdata....... ......................@..@.data...X....0......................@....pdata.......@......................@..@.rsrc...P"...P...$..................@..@.reloc...............<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                        C:\ProgramData\Package Cache\.unverified\PluginManager_1.0.24095.1.msi (copy)

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: S&P Capital IQ Pro Plugin Manager, Author: S&P Global Market Intelligence, Keywords: Installer, Comments: S&P Capital IQ Pro Office, Template: Intel;1033, Revision Number: {F16935F8-F23A-4720-BD54-71BE8DB064DA}, Create Time/Date: Thu Apr 4 17:08:44 2024, Last Saved Time/Date: Thu Apr 4 17:08:44 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4820992
                                                                                                                        Entropy (8bit):7.944154231922389
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:bzlHHxYRemOM+Q3+I45LfQQTNTSOz+0uStN6BYRtWljyGqhF:dCerfqaLoQTNGOzmwwBY3WjG
                                                                                                                        MD5:E3DE50D65FFECF14BA4A6BA04A011286
                                                                                                                        SHA1:B8135627D4ABE71BC7D51E4479D4A6DD1B9CF804
                                                                                                                        SHA-256:416F72EA80F4797B44C11C5B87049A29F36B5A0FC505C50E28BD9EC37EB6899F
                                                                                                                        SHA-512:8BFCA3BBC7625EE20A92932BFC02E51E00605DFF1CDA2D8DBC37303FCE457D5A5C82364E0B0D107098EC9E1A38C5AD36673825F9872AF74EF24B924E0F1265C9
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\ProgramData\Package Cache\.unverified\SPCapIQProOffice_x86_1.0.24095.1.msi (copy)

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: S&P Capital IQ Pro Office, Author: S&P Global Market Intelligence, Keywords: Installer, Comments: S&P Capital IQ Pro Office, Template: Intel;1033, Revision Number: {A34B3796-9442-4328-875C-4043632CEC59}, Create Time/Date: Thu Apr 4 17:14:30 2024, Last Saved Time/Date: Thu Apr 4 17:14:30 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):177909760
                                                                                                                        Entropy (8bit):7.999378812785999
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:3145728:Gur9MxsBd6qnpx2tnQBcXE/qWxiPBDx9g4j/pIBtPDf8DeDEdbAYo9A:Guqy9n2KCd2ORIBtUKD+AY
                                                                                                                        MD5:8972115A8C22F49F48522ADC11475E1D
                                                                                                                        SHA1:1799375A068C88A55D5703896CD5477FB9D45692
                                                                                                                        SHA-256:B354809355612AB26E579AD665732C76A3A70F6021299F35888836F0E63E88D3
                                                                                                                        SHA-512:3F2D7B4F7634EB8365D185193EF27ABBA9A7E39BC0F05DE6B34BEBD12E4792F9172653B81E0A0DA70BBE4B8FB09A289AA28997105F62A8179025379DF4DB3ACB
                                                                                                                        Malicious:true
                                                                                                                        Preview:......................>...................+................................................................ ...$...(...,...0...4...8...<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...|..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\ProgramData\Package Cache\.unverified\VSTOR (copy)

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):40293040
                                                                                                                        Entropy (8bit):7.9998820441717795
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:786432:VymLquc2wR4K1zQQZvaq2/mDwTxvb65bksfqN:zqucHdJaqKIOvmZdfa
                                                                                                                        MD5:72F6A267DE1FA813073DED67D952FD40
                                                                                                                        SHA1:56704865939C2388913D05724632D7B3B67D3CD9
                                                                                                                        SHA-256:729E347DF0D99C3D40ED2AC5026F2D629FA001B4C13BE57B56E96591EC0116BC
                                                                                                                        SHA-512:C0389ABE583F4D86B0E8BB518684095AF08DE595E7DFAB440180786DEF223DEA78E98C809FFCEF6B6457C9F07EEFB735FC595192C7C37DFD31B2F67D4E9CF33F
                                                                                                                        Malicious:true
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................f.......... ....................................................f..>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............f.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe (copy)

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):40293040
                                                                                                                        Entropy (8bit):7.9998820441717795
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:786432:VymLquc2wR4K1zQQZvaq2/mDwTxvb65bksfqN:zqucHdJaqKIOvmZdfa
                                                                                                                        MD5:72F6A267DE1FA813073DED67D952FD40
                                                                                                                        SHA1:56704865939C2388913D05724632D7B3B67D3CD9
                                                                                                                        SHA-256:729E347DF0D99C3D40ED2AC5026F2D629FA001B4C13BE57B56E96591EC0116BC
                                                                                                                        SHA-512:C0389ABE583F4D86B0E8BB518684095AF08DE595E7DFAB440180786DEF223DEA78E98C809FFCEF6B6457C9F07EEFB735FC595192C7C37DFD31B2F67D4E9CF33F
                                                                                                                        Malicious:true
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................f.......... ....................................................f..>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............f.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):687576
                                                                                                                        Entropy (8bit):7.291079287926429
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:dAjuakTOfDlEU4HWDblFlOTPThN7INKwaNUgMI7QnA5Q:Gu/OfDlEUKWflmTP372KnMLAq
                                                                                                                        MD5:C09651C0422F8BB452B82232A454EEE8
                                                                                                                        SHA1:B7EC43F40CB6F8895DE76D658FC4E8B2ECBB3038
                                                                                                                        SHA-256:DC5F345565AA2CC4DD0B446D96204CB9F7135757795370FD581AB4A9458D8B1D
                                                                                                                        SHA-512:BE99051535C843E67D03E54836331B776D3545D785C5B1085188994D64492DF6B1B392D0957F0AA85BC4C89AF3333CBDBEA3CB20FF2431E21D2FD192D6A45CE7
                                                                                                                        Malicious:true
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z..........................................@..........................`............@..............................................G...........T.. )... ...=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc....G.......H..................@..@.reloc...=... ...>..................@..B................................................................................................................................................................................................................................................

                                                                                                                        C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\state.rsm

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):892
                                                                                                                        Entropy (8bit):2.244040687981117
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12:3ZK34pgMClGttDK+xUH6qsl0lABZYttun2QQ2RmFCtZcQ7un2Q/JRmFh:pKUgMClcsZdKY27S
                                                                                                                        MD5:F1AFD690AF1D95A2608077372CCFD89E
                                                                                                                        SHA1:CCE48C3D788DE9D60629CECCC80B30D72BAD19E1
                                                                                                                        SHA-256:23922784D31B228CA0F30D3D861A0BAE203DD8C3C9C7D83E338C9974F00947C0
                                                                                                                        SHA-512:688D64D8CD33EBB904BCCAB6755F286F61D6B84D1E0CFBEE6D9011204784875179C54C5A5A7F51B851D6F6ECC001596200573114EF92C814E854E495C09E9213
                                                                                                                        Malicious:false
                                                                                                                        Preview:^...............................................................................................................................................................................................................................................................................................................................W.i.x.B.u.n.d.l.e.F.o.r.c.e.d.R.e.s.t.a.r.t.P.a.c.k.a.g.e.....................W.i.x.B.u.n.d.l.e.L.a.s.t.U.s.e.d.S.o.u.r.c.e.....................W.i.x.B.u.n.d.l.e.N.a.m.e.........S.&.P. .C.a.p.i.t.a.l. .I.Q. .P.r.o. .O.f.f.i.c.e.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.....7...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.D.e.s.k.t.o.p.\.S.P.C.a.p.I.Q.P.r.o.O.f.f.i.c.e.-.1...0...2.4.0.9.5...1...e.x.e.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.F.o.l.d.e.r.........C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.D.e.s.k.t.o.p.\.............................................

                                                                                                                        C:\ProgramData\Package Cache\{6CC39F5D-6ED2-439D-A256-2B11D25C5B16}v1.0.24095.1\PluginManager-1.0.24095.1.msi (copy)

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: S&P Capital IQ Pro Plugin Manager, Author: S&P Global Market Intelligence, Keywords: Installer, Comments: S&P Capital IQ Pro Office, Template: Intel;1033, Revision Number: {F16935F8-F23A-4720-BD54-71BE8DB064DA}, Create Time/Date: Thu Apr 4 17:08:44 2024, Last Saved Time/Date: Thu Apr 4 17:08:44 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4820992
                                                                                                                        Entropy (8bit):7.944154231922389
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:bzlHHxYRemOM+Q3+I45LfQQTNTSOz+0uStN6BYRtWljyGqhF:dCerfqaLoQTNGOzmwwBY3WjG
                                                                                                                        MD5:E3DE50D65FFECF14BA4A6BA04A011286
                                                                                                                        SHA1:B8135627D4ABE71BC7D51E4479D4A6DD1B9CF804
                                                                                                                        SHA-256:416F72EA80F4797B44C11C5B87049A29F36B5A0FC505C50E28BD9EC37EB6899F
                                                                                                                        SHA-512:8BFCA3BBC7625EE20A92932BFC02E51E00605DFF1CDA2D8DBC37303FCE457D5A5C82364E0B0D107098EC9E1A38C5AD36673825F9872AF74EF24B924E0F1265C9
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\ProgramData\Package Cache\{8ABF444C-2498-4B37-A960-91BFE1481ED5}v1.0.24095.1\SPCapIQProOffice-x86-1.0.24095.1.msi (copy)

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: S&P Capital IQ Pro Office, Author: S&P Global Market Intelligence, Keywords: Installer, Comments: S&P Capital IQ Pro Office, Template: Intel;1033, Revision Number: {A34B3796-9442-4328-875C-4043632CEC59}, Create Time/Date: Thu Apr 4 17:14:30 2024, Last Saved Time/Date: Thu Apr 4 17:14:30 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):177909760
                                                                                                                        Entropy (8bit):7.999378812785999
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:3145728:Gur9MxsBd6qnpx2tnQBcXE/qWxiPBDx9g4j/pIBtPDf8DeDEdbAYo9A:Guqy9n2KCd2ORIBtUKD+AY
                                                                                                                        MD5:8972115A8C22F49F48522ADC11475E1D
                                                                                                                        SHA1:1799375A068C88A55D5703896CD5477FB9D45692
                                                                                                                        SHA-256:B354809355612AB26E579AD665732C76A3A70F6021299F35888836F0E63E88D3
                                                                                                                        SHA-512:3F2D7B4F7634EB8365D185193EF27ABBA9A7E39BC0F05DE6B34BEBD12E4792F9172653B81E0A0DA70BBE4B8FB09A289AA28997105F62A8179025379DF4DB3ACB
                                                                                                                        Malicious:true
                                                                                                                        Preview:......................>...................+................................................................ ...$...(...,...0...4...8...<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...|..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\DEL80A9.tmp (copy)

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):687576
                                                                                                                        Entropy (8bit):7.291079287926429
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:dAjuakTOfDlEU4HWDblFlOTPThN7INKwaNUgMI7QnA5Q:Gu/OfDlEUKWflmTP372KnMLAq
                                                                                                                        MD5:C09651C0422F8BB452B82232A454EEE8
                                                                                                                        SHA1:B7EC43F40CB6F8895DE76D658FC4E8B2ECBB3038
                                                                                                                        SHA-256:DC5F345565AA2CC4DD0B446D96204CB9F7135757795370FD581AB4A9458D8B1D
                                                                                                                        SHA-512:BE99051535C843E67D03E54836331B776D3545D785C5B1085188994D64492DF6B1B392D0957F0AA85BC4C89AF3333CBDBEA3CB20FF2431E21D2FD192D6A45CE7
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z..........................................@..........................`............@..............................................G...........T.. )... ...=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc....G.......H..................@..@.reloc...=... ...>..................@..B................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\HFI861E.tmp.html

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\Setup.exe
                                                                                                                        File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):16118
                                                                                                                        Entropy (8bit):3.6434775915277604
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                                                                                                        MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                                                                                                        SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                                                                                                        SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                                                                                                        SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                        C:\Users\user\AppData\Local\Temp\HFIA3F9.tmp.html

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\Setup.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):14868
                                                                                                                        Entropy (8bit):3.66672657969151
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:RuSmw9kSL22ZICGOPmYlWgDsPKOiT+BZUW:Rqh2ZICGOugDsPKOHBZUW
                                                                                                                        MD5:56689F9883056E577B4F7AAA7882A726
                                                                                                                        SHA1:AD65D05EE4CA9F09BAB66FACAFF4D19440B42BE8
                                                                                                                        SHA-256:4BB83111E25A17AECF04FE6945FDB78AB3A17FA6AC63E7B0F0A5CB05EB911C07
                                                                                                                        SHA-512:F748931CE0EE08A15721A881E3F643CDB7110910C4F49B43CA003E6358D56F1EF091D49D64CB58373C877941E1F7AD6C51AA5D97C0714211857EB52CA45C9C24
                                                                                                                        Malicious:false
                                                                                                                        Preview:....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.4./.1.9./.2.0.2.4.,. .2.:.5.3.:.1.3.].<./.s.p.a.n.>.c.a.l.l.i.n.g. .P.e.r.f.o.r.m.A.c.t.i.o.n. .o.n. .a.n. .i.n.s.t.a.l.l.i.n.g. .p.e.r.f.o.r.m.e.r.<.B.R.>.<./.s.p.a.n.>.....<.s.p.a.n. .c.l.a.s.s.=.".a.c.t.".>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.H.d.r.".>.<.a. .h.r.e.f.=.".#.". .o.n.c.l.i.c.k.=.".t.o.g.g.l.e.S.e.c.t.i.o.n.(.).;. .e.v.e.n.t...r.e.t.u.r.n.V.a.l.u.e.=.f.a.l.s.e.;.".>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.4./.1.9./.2.0.2.4.,. .2.:.5.3.:.1.3.]. .<./.s.p.a.n.>.A.c.t.i.o.n.:. .P.e.r.f.o.r.m.i.n.g. .a.c.t.i.o.n.s. .o.n. .a.l.l. .I.t.e.m.s.<./.s.p.a.n.>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.2.".>.......<.B.R.>.<./.s.p.a.n.>.<./.a.>.<./.d.i.v.>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.".>.....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.4./.1.9./.2.0.2.4.,. .2.:.5.3.:.1.3.].<./.s.p.a.n.>.W.a.i.t. .f.o.r. .I.t.e.m. .(.M.S.I.S.e.r.

                                                                                                                        C:\Users\user\AppData\Local\Temp\HFIF591.tmp.html

                                                                                                                        Download File
                                                                                                                        Process:C:\5dbc7bbf14917454e3442522d4a6\Setup.exe
                                                                                                                        File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):16118
                                                                                                                        Entropy (8bit):3.6434775915277604
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                                                                                                        MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                                                                                                        SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                                                                                                        SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                                                                                                        SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI58d3c.LOG

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):2
                                                                                                                        Entropy (8bit):1.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Qn:Qn
                                                                                                                        MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                        Malicious:false
                                                                                                                        Preview:..

                                                                                                                        C:\Users\user\AppData\Local\Temp\Microsoft Visual Studio Tools for Office Runtime 2010 Setup_20240419_025312968-MSI_vc_red.msi.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (315), with CRLF, LF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):810078
                                                                                                                        Entropy (8bit):3.8317067627029386
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:I9qjQBiujMMMMMMMMMMMMFFFFFBMkBeT/e3ANguj45zOgj6pr1aK0Aj/we0XXXXE:QqjkYpmAjdl
                                                                                                                        MD5:26D0DA08F918883B4221B2CB9828A963
                                                                                                                        SHA1:F3892F51DF7689CC5CFC0C006322E71C5C5CD47F
                                                                                                                        SHA-256:EB683E24DE7FE96F1057EAF5299E3D1D0757036A214F75F6FFFAB273D8C513BA
                                                                                                                        SHA-512:E60D871D726B33D4EEFA966A11F9D311BADA7F859B95E7E45F46A36262F449DFF7A1B1D85B53C08EDCA9F735FC12B3FFF964DB58B11E78BB07BEDC175A5E4602
                                                                                                                        Malicious:false
                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.9./.0.4./.2.0.2.4. . .0.2.:.5.3.:.1.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .c.:.\.e.4.b.1.5.3.7.4.f.b.e.b.0.9.b.0.0.c.2.f.f.6.e.a.2.2.\.S.e.t.u.p...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.3.0.:.B.C.). .[.0.2.:.5.3.:.1.4.:.7.0.2.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.3.0.:.B.C.). .[.0.2.:.5.3.:.1.4.:.7.0.2.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.3.0.:.B.C.). .[.0.2.:.5.3.:.1.4.:.7.0.2.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .c.:.\.e.4.b.1.5.3.7.4.f.b.e.b.0.9.b.0.0.c.2.f.f.6.e.a.2.2.\.V.C._.R.e.d._.x.8.6.\.v.c._.r.e.d...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.

                                                                                                                        C:\Users\user\AppData\Local\Temp\Microsoft Visual Studio Tools for Office Runtime 2010 Setup_20240419_025312968.html

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\Setup.exe
                                                                                                                        File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (346), with CRLF line terminators
                                                                                                                        Category:modified
                                                                                                                        Size (bytes):309778
                                                                                                                        Entropy (8bit):3.6397616464979894
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:fdsWyUr+WUxpvMM3z1hQUkwJ99JyuOCIMJNRFznL/84I87vp9tTSvQX8uPHrQNlT:fdsWTr+WUxpvMQXFk
                                                                                                                        MD5:637D4553924CC532ACCAD03B1C30C5E0
                                                                                                                        SHA1:5E877459BCC038C7DFC20F2D71ADBC4A03091DC7
                                                                                                                        SHA-256:DF42F2D6187697D46992C6E75A43BBC4D9087FF0A5290E847D294FAA2CBC0BB0
                                                                                                                        SHA-512:1FB9472CA6A2D5F74BFFDB87B3828587713ECF767345BAEB57489E979CDC8C85090679DA9AE61BA1F02C84DBB2411FE0BD50ABD35854D5A4E60E4550E09967B7
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                        C:\Users\user\AppData\Local\Temp\Microsoft Visual Studio Tools for Office Runtime 2010 Setup_20240419_025343865.html

                                                                                                                        Download File
                                                                                                                        Process:C:\5dbc7bbf14917454e3442522d4a6\Setup.exe
                                                                                                                        File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (329), with CRLF line terminators
                                                                                                                        Category:modified
                                                                                                                        Size (bytes):42722
                                                                                                                        Entropy (8bit):3.7368083002087698
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:fdsOTLyUFJFEWUxFzvuwTnRVUAQ09ZZ9eySuM49pFhnD/bo8MovLdZJzO49:fdsWyUr+WUxpvuwTnRVUAQ09ZZ9eySuZ
                                                                                                                        MD5:45161B5493DCCFF4247187017616BF6B
                                                                                                                        SHA1:9FABC49B9B59439B5CA052CC9111296ED6EF417A
                                                                                                                        SHA-256:2EDB812A85BC1320427D6C5D61CE3D2290E2BFD3D5A65EAE9FE340154806E665
                                                                                                                        SHA-512:5FABF059EF9DC52A7C8D0C419D57188ECEE274E7069CD017DC29C53DE1B465121C2A4C53386E8CA17A504307C7F78DA42230DFBDB99E2E23D4E1400D078A364B
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                        C:\Users\user\AppData\Local\Temp\S&P_Capital_IQ_Pro_Office_20240419025210.log

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:ASCII text, with very long lines (588), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):29368
                                                                                                                        Entropy (8bit):5.587140162356542
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:BTp8UEyj2pcXnbIuj2pcXnbIlj2pcXnbIzj2pcXnbI0j2pcXnbI2j2pcXnbITj2o:n8UE+kE8BLt
                                                                                                                        MD5:23F95F9DFA06F2152D806137FBF2CF58
                                                                                                                        SHA1:0531F40B7FE0E9E4AA447529BD02408C51EE2DF5
                                                                                                                        SHA-256:5AEC23E7EB0DBE44AAD70D97F2303AF68A95D4E8D2397562664591416437563A
                                                                                                                        SHA-512:BF6D07FB5A661EFD3565C3BDB0FA4F06FDE8B702F44D08E8335FFE7FF14AFAA10E6E8855AA13C4BE8745D69235AF88442F14FD7F1523A4F61A5244F907050735
                                                                                                                        Malicious:false
                                                                                                                        Preview:[1CA8:1CAC][2024-04-19T02:52:09]i001: Burn v3.11.1.2318, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe..[1CA8:1CAC][2024-04-19T02:52:09]i000: Initializing string variable 'BaseUrl' to value 'https://www.capitaliq.spglobal.com/'..[1CA8:1CAC][2024-04-19T02:52:09]i000: Initializing string variable 'ChinaBaseUrl' to value 'https://www.capitaliq.spglobal.cn/'..[1CA8:1CAC][2024-04-19T02:52:09]i000: Initializing string variable 'OfficeToolsUri' to value 'apiservices/office-tools-service/Content/OfficeTools/2205/Common/SPGMI.OfficeToolsDeployment.vsto'..[1CA8:1CAC][2024-04-19T02:52:09]i000: Initializing string variable 'EmpowerUri' to value 'apiservices/office-tools-service/Content/Empower/empower-1.0.24095.1.exe'..[1CA8:1CAC][2024-04-19T02:52:09]i000: Initializing numeric variable 'EnableCiqUdf' to value '1'..[1CA8:1CAC][2024-04-19T02:52:09]i000: Initializing numeric variable 'DisableCiqUdf' to va

                                                                                                                        C:\Users\user\AppData\Local\Temp\S&P_Capital_IQ_Pro_Office_20240419025210_001_SPCapIQProOffice_x86_1.0.24095.1.msi.log

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):2668
                                                                                                                        Entropy (8bit):3.6917799649566296
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:YcdU+0pbUPBJxP31JBPmdCnreP9FORLiP6PkPhj/AcdPhaqcPPJotocwmrPQ5v:Y1+0poPPxPTBPqCqPPO4P6PkPhnPYfPB
                                                                                                                        MD5:25C1486EC5B08A0603757913478C15E7
                                                                                                                        SHA1:565EBAE5C85FE9C8AFD55C419C630BCDA842B10B
                                                                                                                        SHA-256:C169B2465E43BC2B15DFD27570C0666E0A387CC07A6EA795C16C53F6EC16BC23
                                                                                                                        SHA-512:82FEA803B24DA3F477916CE04271B16E06291D95D3F48FA559B4360AA5C8C722565262BF6DE581275559BB577502FF8859E74179322AD32D052229B2FB9C6904
                                                                                                                        Malicious:false
                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.9./.0.4./.2.0.2.4. . .0.2.:.5.4.:.0.6. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.2.5.7.5.F.3.7.D.-.4.D.5.9.-.4.A.D.E.-.9.B.3.5.-.8.3.3.A.B.C.7.6.F.3.A.4.}.\...b.e.\.S.P.C.a.p.I.Q.P.r.o.O.f.f.i.c.e.-.1...0...2.4.0.9.5...1...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.F.C.:.2.4.). .[.0.2.:.5.4.:.0.6.:.5.2.9.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.F.C.:.2.4.). .[.0.2.:.5.4.:.0.6.:.5.2.9.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.F.C.:.2.4.). .[.0.2.:.5.4.:.0.6.:.5.2.9.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.8.A.B.F.4.4.4.C.-.2.4.9.8.-.4.B.3.7.-.A.9.6.0.-.9.1.B.F.E.1.4.8.1.E.D.5.}.v.1...0...2.4.0.9.5...1.\.S.P.C.

                                                                                                                        C:\Users\user\AppData\Local\Temp\Setup_20240419_025305483.html

                                                                                                                        Download File
                                                                                                                        Process:C:\e4b15374fbeb09b00c2ff6ea22\Setup.exe
                                                                                                                        File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (329), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):41828
                                                                                                                        Entropy (8bit):3.736856778673138
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:fdsOTLyUFJFEWUxFzvMM3z1hQUkwJ99JyuOCIMJNRFznL/84I87vp9tTSO:fdsWyUr+WUxpvMM3z1hQUkwJ99JyuOCB
                                                                                                                        MD5:C778E72E3C4EE5204566EA16DC97BF6F
                                                                                                                        SHA1:8DEC54F93F5A9D4A35B42FD73E92BE6280C940DE
                                                                                                                        SHA-256:29D45B8E40E7CF8B35DF093EFB33D5D0B553EE101DD3B09C8BC9CFE9AAC6749E
                                                                                                                        SHA-512:B0F04AD24FE8CBBA296A0DEEDE7F9D89E9E4319F9535C33A429B37E7C753E56AB85101D88764973DA945D129C8AE447717FC3CF46498D458F651B828D661C5C9
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                        C:\Users\user\AppData\Local\Temp\Setup_20240419_025334037.html

                                                                                                                        Download File
                                                                                                                        Process:C:\5dbc7bbf14917454e3442522d4a6\Setup.exe
                                                                                                                        File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (329), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):41864
                                                                                                                        Entropy (8bit):3.7375658712544597
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:fdsOTLyUFJFEWUxFzvuwTnRVUAQ09ZZ9eySuM49pFhnD/bo8MovLdZJzOy:fdsWyUr+WUxpvuwTnRVUAQ09ZZ9eySuV
                                                                                                                        MD5:207521B00ECB93F28FDB4ACD329529E1
                                                                                                                        SHA1:03FD95496696F6D57FA18C3E9C955DD1192DBDFB
                                                                                                                        SHA-256:BCD84E73152D45F95E60C121B023B292B72656D5C88EF7D7B66DB1E33BF969EC
                                                                                                                        SHA-512:D5DF7E79E65502619C8DC7A020DD905B7E66348DBAF1A2981AA2B4E1E7441410CC2940E62253FCA6908E2449CC866D9BF8FDEF6FCDA215568A67DA033D54D28C
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                        C:\Users\user\AppData\Local\Temp\VWL2144.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):326
                                                                                                                        Entropy (8bit):3.600770436855832
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:QkxLavrDAlrAvDxLsDMqeheN71jDrqGMqetsU3Tpu+yl4zHu+yl4xHlCi:QcWcJ+hsDHpFLU3A4S4RD
                                                                                                                        MD5:3BD23347D5BD4CEB7814483E681FF2E3
                                                                                                                        SHA1:088E2BB6DBAD6D8E73AF439655B2A954AFF908DF
                                                                                                                        SHA-256:6011420621728DD62C499AE94A57080ADB4A5F3E872501927CB935FA1BB8AB91
                                                                                                                        SHA-512:EDDA685E03C7464AB1F144F59A75AA6847F3F7B15E3B726173470E5D1001708BDF27F9B0457F53F82EC2F37D8F6A0BC8737CBABE6766C352E8797AABB2C11AFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:......S.T.A.T.U.S.:. .L.o.g.g.i.n.g. .S.t.a.r.t.e.d. . .....S.T.A.T.U.S.:. .I.n.i.t.i.a.l.i.z.i.n.g. .W.a.t.s.o.n...........E.n.t.e.r.i.n.g. .I.n.i.t.i.a.l.i.z.e.P.a.r.a.m.e.t.e.r.s.....[.0.4./.1.9./.2.4.,.0.2.:.5.3.:.4.5.]. .I.s.C.o.r.p.n.e.t.=.0.....[.0.4./.1.9./.2.4.,.0.2.:.5.3.:.4.5.]. .O.u.t.e.r. .U.I.F.l.a.g.s.=.0.....

                                                                                                                        C:\Users\user\AppData\Local\Temp\dd_vstor40_x64MSI067D.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):962742
                                                                                                                        Entropy (8bit):3.8608232969811422
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:hO9BLfJ3jsJXMJqfdkR+Yw96F4TNyMIeZvJVA5DmuYbgfLX4bkcjjppdeN2Kd7+q:IHfJj4kGfgI2
                                                                                                                        MD5:056C7CD476FB33AFB77A019A6010B654
                                                                                                                        SHA1:386F41E4D0D968AE5019A4671FFE14E9088D4BC9
                                                                                                                        SHA-256:F7331B8B75B95F731C8A0EB7857D3BFE7F893C703EDFAE38EDDA0646AAC11F5A
                                                                                                                        SHA-512:93FF40AC10EFB7FA19B99D1E9B6A318538490DA23D0884833963E1FEFE9D64D20327DFA49EE793189874A1BD72E564EB2311E200E202031338F6D10AF7B338FF
                                                                                                                        Malicious:false
                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.9./.0.4./.2.0.2.4. . .0.2.:.5.3.:.2.8. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .c.:.\.9.e.8.b.5.0.5.a.c.5.b.f.6.7.d.2.6.c.f.b.a.0.0.4.c.7.a.3.f.d.\.i.n.s.t.a.l.l...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.F.0.:.3.0.). .[.0.2.:.5.3.:.2.8.:.9.6.1.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.F.0.:.3.0.). .[.0.2.:.5.3.:.2.8.:.9.6.1.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.F.0.:.3.0.). .[.0.2.:.5.3.:.2.8.:.9.6.1.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .c.:.\.9.e.8.b.5.0.5.a.c.5.b.f.6.7.d.2.6.c.f.b.a.0.0.4.c.7.a.3.f.d.\.v.s.t.o.r.4.0._.x.6.4...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.

                                                                                                                        C:\Users\user\AppData\Local\Temp\dd_vstor40_x64UI067D.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exe
                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11476
                                                                                                                        Entropy (8bit):3.770422959108001
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:9Jb12tnghAwinqnDQnqneMVbQ9g8ith5h83v:9Jb12tnghAwiqMqeMV8Bi43v
                                                                                                                        MD5:A76782B75E04441EC7B47E2C50FD2BEB
                                                                                                                        SHA1:1FB96CAF8AB86A3CF436705EF89B7F90C7C4A0CB
                                                                                                                        SHA-256:D5A9CA4F518EB5E289E043420A4CD21ED7DDC724C8CE3DD73B3EE5272A2DACDC
                                                                                                                        SHA-512:44ACA5C5A9E642DC7F1CACE62F26BE7D8CEF8AA1F7BA9BCE0AB76477E0F59E63190AD920C581B3E99031098686B43950E0E1BF77F2CF001CBD1A93871B8B0123
                                                                                                                        Malicious:false
                                                                                                                        Preview:......[.0.4./.1.9./.2.4.,.0.2.:.5.3.:.2.8.]. .=.=.=.=.=.=.=.=.=.=. .L.o.g.g.i.n.g. .s.t.a.r.t.e.d. .=.=.=.=.=.=.=.=.=.=.....[.0.4./.1.9./.2.4.,.0.2.:.5.3.:.2.8.]. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....[.0.4./.1.9./.2.4.,.0.2.:.5.3.:.2.8.]. .N.o. .l.a.n.g.u.a.g.e. .s.p.e.c.i.f.i.e.d. .i.n. .i.n.i. .f.i.l.e. .d.e.f.a.u.l.t. .t.o. .O.S. .l.a.n.g.u.a.g.e.....[.0.4./.1.9./.2.4.,.0.2.:.5.3.:.2.8.]. .F.a.i.l.e.d. .t.o. .s.e.t. .l.a.n.g. .t.o. .O.S. .l.a.n.g.u.a.g.e. .2.0.5.7.....[.0.4./.1.9./.2.4.,.0.2.:.5.3.:.2.8.]. .S.e.t. .l.a.n.g. .t.o. .E.N.U. .1.0.3.3.....[.0.4./.1.9./.2.4.,.0.2.:.5.3.:.2.8.]. . .P.e.n.d.i.n.g. .R.e.b.o.o.t. .T.a.b.l.e. .s.t.a.t.e. .:. .L.o.g.g.i.n.g. .s.t.a.r.t. .....[.0.4./.1.9./.2.4.,.0.2.:.5.3.:.2.8.]. . . . ._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._.....[.0.4./.1.9./.2.4.,.0.2.:.5.3.:.2.8.]. .T.h.e.r.e. .a.r.e. .n.o. .q.u.e.u.e.d. .u.p. .p.e.n.d.i.n.g. .r.e.b.o.o.t. .e.n.t.r.i.e.s.....

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\10250\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\1028\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3560
                                                                                                                        Entropy (8bit):6.211589245812524
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cVT8tOeststhDnkT9C5WNJriuSpN/l/fN3mZS3uNONeN1rZ8vWqPSlTKRKUTKlK2:8TafTk5CgNJGzf8mkE0EFZCmJHQ9
                                                                                                                        MD5:1A41D14ACE8494C97A55FBDDF5C51970
                                                                                                                        SHA1:6B060BED64F764C982A2445F98D3172E18D30354
                                                                                                                        SHA-256:A4FEA39366F239A50AC32B715CCD4327BE584C0A84DFCA7678980A3D9C3D5571
                                                                                                                        SHA-512:C9008B5FDDD9F537B183C970CF6D3DC84CFD0C8CCAD6E5D79C61A84B4D897A3C6C5080BE1FD273CC0B27D92FB760CDAC5636404107CB7089EA530F71632FB04C
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="zh-cn" Language="2052" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ..</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ........ ................................/passive | /quiet - .... UI ....... UI ....... ........ UI ........../norestart - .................... UI.../log log.txt - ................. %TEMP% ....</String>.. <String Id="HelpCloseButton">..(&amp;C)</String>.. <String Id="InstallLicenseLinkText">[WixBundleName] &lt;a href="#"

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\1031\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (371), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4077
                                                                                                                        Entropy (8bit):5.078273827092147
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:7TFZOAlcArP7NuNN8YWZhgcyaqsSPLjqrJ5XQuU:PVGATELc16qrJ5XW
                                                                                                                        MD5:DF1088ADC7CA04D9BCC07937D0A0E263
                                                                                                                        SHA1:3992609413D855FFA280305DDB99563D661309F5
                                                                                                                        SHA-256:6C557265F2E5711F48D98761BFA69BE472415E7A329E5780899DCD771C59E893
                                                                                                                        SHA-512:9C2403C57CDA5F90F26C3ECF8D0D62D7DD5AD23AD5F93E7108ABD57EF5DFEB9DED60D523AED9DB12DEA440AD58E8596E2FE6C8F44E7F9B2449C06E5DD7D8CF53
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="de-de" Language="1031" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Setup von [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installiert, repariert oder deinstalliert.. das Paket oder erstellt eine vollst.ndige lokale Kopie davon im Verzeichnis. Installieren ist der Standardbefehl...../passive | /quiet - zeigt eine minimale Benutzeroberfl.che (UI) ohne Meldungen oder keine UI und.. keine Meldungen an. Standardm..ig werden die UI und alle Meldungen angezeigt...../norestart - unterdr.ckt jeden Versuch eines Neustarts. Standardm..ig wird auf der UI vor dem Neustart eine Meldung angezeigt.../log log.txt . erstellt ein Protokoll in

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\1033\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (354), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3803
                                                                                                                        Entropy (8bit):5.032354520770157
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cyMT8desK19hDUNKwsqq8+JIDxN/WcN3mt7NlN1NVvAdMcgzPDHVXK8KTKjKnSJ7:MTLbTxmOeup/vTAAToUDWhVFG7h
                                                                                                                        MD5:8ABA1FE91408D3306295A8F95EEE7CAE
                                                                                                                        SHA1:FC679ABFCBFFF458D4FE0629B42140A5BE16D3B9
                                                                                                                        SHA-256:BCC31F8B77B46B9E71B1BDA74ED449787D3B324AD4DC3A05489B9639C3EB3009
                                                                                                                        SHA-512:FE4D395B34D759CC6418500078FC76C6A21D4CD9311DAF7A6C7765822607063ECE417C73F1E1B94B9FAF314AF0E8E5A353E501082D720436BE6E2239082D5CA4
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. By default a log file is created in %TEMP%.</String>.. <String Id="HelpCloseButton">&amp;Close</String>.. <String Id="InstallLicenseLinkText">[

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\1041\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4622
                                                                                                                        Entropy (8bit):5.888907467553762
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:rTgwtB8QW2Y6lnOGjiK4fP0/vue+5R1NQ+O4ZsLAT15eH:J88TIjNjQp4gH
                                                                                                                        MD5:EE62602AE6B9D6F76ED48F30CDD6BD3F
                                                                                                                        SHA1:8B3697E8BD716D3865577B8680E04433E847613D
                                                                                                                        SHA-256:A1D9D722EB00973E312EAE8649EF34FCE2697F16F1CB3EE3A0B844B330421FC8
                                                                                                                        SHA-512:FA01C37F2C4873F3982FD83C016D20E1521A7DEA66A0C6904FCA0ABBBE06AC77C4A4D33CED35104543DF91FC26BBF8E1C597C34117FE3E7C0DA538949CA9F7FB
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="ja-jp" Language="1041" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">...............</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory]...................... .........................................................../passive | /quiet..... UI ......................UI ................ ........UI....................../norestart.......

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\1041\thm.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):5822
                                                                                                                        Entropy (8bit):5.177630994039433
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:wHdK+3UzSgz96zYvHKFBiUcjqs81Ef3espO:wHuz8
                                                                                                                        MD5:A35C72008597BF43ED1B25A420BA67C2
                                                                                                                        SHA1:8211BFEB70D703B5E11651D647A29FFA3ED81270
                                                                                                                        SHA-256:CDFF18C3DFA30F559E8A717A33DE369BCDECBC4CD8EF39DADBF4C70772B6561F
                                                                                                                        SHA-512:D79B498281C12F586774071187797563C341CBCC8224A84AE904E658960904E2DF8C710B021B4F35322974E03570E7E3E743E0FC33CE58604A84D2E224BF33DE
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="275" Height="64" ImageFile="..\logo.png" Visible="yes"/>.... <Page Name="Help">.. <Text X="11" Y="80" Width="-11" Height="30" FontId="2" DisablePrefix="yes">#(loc.HelpHeader)</Text>.. <Text X="11" Y="112" Width="-11" Height="-35" FontId="3" DisablePrefix="yes">#(loc.HelpText)</Te

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\1046\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (354), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3848
                                                                                                                        Entropy (8bit):5.124942481420578
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:c9oT8vXes/4ShDv0/TQgsWDj4N/kr/N3msl0N+NWNP4NHhc9skPDXeKKeK9KfKtj:vTUlUze8rlpl2UsaMyN2KJcre
                                                                                                                        MD5:5CEF31FE909B0CB8BFBD714428219784
                                                                                                                        SHA1:931C1FBC1936037A5CB265B3AF8E3D4B86F62237
                                                                                                                        SHA-256:63E0D1B0C2A785938E5F36F820FA27F719F19F7CAF0E5CEB251368B1E3D5F02E
                                                                                                                        SHA-512:D67B89E405441D51DE30260FC349050618DC863EEE9B70304D8601EE0B11311C0DAFB0EA5A42D9AFABAB25CEDF57DC9DDCFA4A9BA06791A0A73625902B39BD91
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="pt-br" Language="1046" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Configura..o [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda para configura..o</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. O padr.o . instalar...../passive | /quiet - exibe UI m.nima sem alerta ou n.o exibe UI nem.. alerta. Por padr.o, a UI e todos os alertas s.o exibidos...../norestart - impede qualquer tentativa de reiniciar. Por padr.o, a UI exibe alerta antes de reiniciar.../log log.txt - registra um arquivo espec.fico. Por padr.o, um arquivo de registro . criado em %TEMP%.</String>.. <String Id="HelpCloseButton">&amp;Fe

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\11274\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\12298\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\13322\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\14346\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\15370\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\16394\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\17418\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\18442\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\19466\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\20490\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\2052\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3560
                                                                                                                        Entropy (8bit):6.211589245812524
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cVT8tOeststhDnkT9C5WNJriuSpN/l/fN3mZS3uNONeN1rZ8vWqPSlTKRKUTKlK2:8TafTk5CgNJGzf8mkE0EFZCmJHQ9
                                                                                                                        MD5:1A41D14ACE8494C97A55FBDDF5C51970
                                                                                                                        SHA1:6B060BED64F764C982A2445F98D3172E18D30354
                                                                                                                        SHA-256:A4FEA39366F239A50AC32B715CCD4327BE584C0A84DFCA7678980A3D9C3D5571
                                                                                                                        SHA-512:C9008B5FDDD9F537B183C970CF6D3DC84CFD0C8CCAD6E5D79C61A84B4D897A3C6C5080BE1FD273CC0B27D92FB760CDAC5636404107CB7089EA530F71632FB04C
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="zh-cn" Language="2052" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ..</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ........ ................................/passive | /quiet - .... UI ....... UI ....... ........ UI ........../norestart - .................... UI.../log log.txt - ................. %TEMP% ....</String>.. <String Id="HelpCloseButton">..(&amp;C)</String>.. <String Id="InstallLicenseLinkText">[WixBundleName] &lt;a href="#"

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\2058\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\3076\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3560
                                                                                                                        Entropy (8bit):6.211589245812524
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cVT8tOeststhDnkT9C5WNJriuSpN/l/fN3mZS3uNONeN1rZ8vWqPSlTKRKUTKlK2:8TafTk5CgNJGzf8mkE0EFZCmJHQ9
                                                                                                                        MD5:1A41D14ACE8494C97A55FBDDF5C51970
                                                                                                                        SHA1:6B060BED64F764C982A2445F98D3172E18D30354
                                                                                                                        SHA-256:A4FEA39366F239A50AC32B715CCD4327BE584C0A84DFCA7678980A3D9C3D5571
                                                                                                                        SHA-512:C9008B5FDDD9F537B183C970CF6D3DC84CFD0C8CCAD6E5D79C61A84B4D897A3C6C5080BE1FD273CC0B27D92FB760CDAC5636404107CB7089EA530F71632FB04C
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="zh-cn" Language="2052" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ..</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ........ ................................/passive | /quiet - .... UI ....... UI ....... ........ UI ........../norestart - .................... UI.../log log.txt - ................. %TEMP% ....</String>.. <String Id="HelpCloseButton">..(&amp;C)</String>.. <String Id="InstallLicenseLinkText">[WixBundleName] &lt;a href="#"

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\4106\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\5130\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\6154\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\7178\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\8202\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\9226\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\BootstrapperApplicationData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (1032), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):40240
                                                                                                                        Entropy (8bit):3.8054886633767677
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:X0svI+x61h6N/nEGk3639BW4EIxN4+NmQ/NqlbbOmdUSTOb5PH:X0svI+x61h6N/nEGG09B3ZxN4+Nf
                                                                                                                        MD5:B4B2C7360FAEFF41522CEDE49C4B33E9
                                                                                                                        SHA1:AA148E0CA7EF92A0D289B364391ACBAF963CA949
                                                                                                                        SHA-256:43886E128AA95B5BA4068FE80502AEAC778339DA734B25133B855DBEE28E39DC
                                                                                                                        SHA-512:0CD34526BFAAD02DBA8A10821E0CC76329C15E683171E026E531ABC84452F2332744AB57D5FCF029703FE7021166B822E1DDE54712240ED4FD323B7303F77AC2
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".I.n.t.e.r.n.e.t.E.x.p.l.o.r.e.r.V.e.r.s.i.o.n. .&.g.t.;.=. .M.i.n.i.m.u.m.I.n.t.e.r.n.e.t.E.x.p.l.o.r.e.r.V.e.r.s.i.o.n.". .M.e.s.s.a.g.e.=.".#.(.l.o.c...I.n.t.e.r.n.e.t.E.x.p.l.o.r.e.r.R.e.q.u.i.r.e.d.).". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".S.&.a.m.p.;.P. .C.a.p.i.t.a.l. .I.Q. .P.r.o. .O.f.f.i.c.e.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.5.6.a.a.9.7.5.4.-.5.7.a.a.-.4.a.2.6.-.a.1.6.4.-.1.2.0.7.5.d.9.4.e.b.2.e.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.A.7.3.C.E.2.F.3.-.7.8.1.3.-.4.5.5.4.-.8.C.A.B.-.D.5.3.B.1.4.9.7.D.8.3.2.}.". .P.e.r.M.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\bafunctions.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):115200
                                                                                                                        Entropy (8bit):6.5083800934218425
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:AQ2K71sM1vkNv+xum5KuY36mcCgFj+K8wV3K9j8b:AQ26CMC+Qm0B6egRJCjO
                                                                                                                        MD5:73245714C643A0EAB0CDEF257F1A69E3
                                                                                                                        SHA1:7745F703EEC01BC8280FB69CC1E38A7F18993D7F
                                                                                                                        SHA-256:5E3C19623F55D2160967CA1BC8BB23FD17006DC34DDB082277F56019DEB62120
                                                                                                                        SHA-512:0594CDF30BA50702515C751FE281EB03223241DF51E08DEF7EB88596207ACF330E7A5B93A7F453BD9B2E0E90D74C3FAA5A9FC8D3976552A5EEE689B035773C54
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................+.....................................3J.......................................Rich............PE..L......f...........!.....0..........T........@............................................@.........................@...h.......<...............................l...@...p...............................@............@...............................text...N/.......0.................. ..`.rdata...n...@...p...4..............@..@.data...............................@....rsrc...............................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\logo.png

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:PNG image data, 400 x 70, 8-bit/color RGBA, non-interlaced
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32988
                                                                                                                        Entropy (8bit):7.973162959752592
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:iRjXONedB6J9BFhCK1HLbmnFlP1xcoQmzF2AXHWPzIYXNeGy:i5O0D6J9BnCKxbmDP3D4y25eGy
                                                                                                                        MD5:746C38F3B09E6FAFA039363E990AB750
                                                                                                                        SHA1:645BF05B1371060468C66E4ACF824879FE772E1A
                                                                                                                        SHA-256:D77BF860F71F874004C9132395005714794CF8C7084BFC58ADE03771EC1FEE66
                                                                                                                        SHA-512:F9A9C1988E3D01E5056F5AEBC41513AE2100AF3909B185761D855AADD721D786F664E360690002461A116F669171CDD9DAE2DE734F7CBE364A8B2FD5DC543F9D
                                                                                                                        Malicious:false
                                                                                                                        Preview:.PNG........IHDR.......F.......J....sRGB.........gAMA......a...4.IDATx^....eW]'.S[.k.N.Y.7....3.:..b.p.Q.q\p....CTPF......"*... * ....dOX$.@.N:........Nq..^.....:}....^.{..s.....;..;z.h.{wE...E..-Z..DJ.gML.996.:.;6..i.....g.}...;.UW]U.={:..h.E..[&...../..-.+...]9......../.........W\Q.].:?.h.E...OLmy...y.......]5............h.E..C.5 -Z.h.b$...E..-Z....h.E......-Z.X....+...UA.k..\...d\."8..[.t_.w...... .V...ui|...il....E@...E..-....B.y.7.....x.W..N.....wnOG.t[..kG.9th..0.+.p....Mc+.P.1=........cw.L..._.#3.eKZ......._......m..C7~&...........18.*...h.....L.sv:.~5.|...X=Z....3i..t.S.N..~s:....{...i..>5.iU.0..{..O.?...u...~..)EY........OO.....k..F:3G..c.v...|w..7oJGn.9..n...x[.h.b.!..!M..9Ml.8....?.U...s..oyt:.....>.0Ka...5....."z.T..*..|.ij.yi..=1...?.V=.A_)..........Jk...4y..ap"j.'......@.x.w.3...4u...:GAk@Z.h.b.1..@...................1...g#:.....]..~s.Y..;.....O.r.>t.Ui...R}?.Fh.C..6|.Sf..0.......*....>uc...N...q..7^.

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4509
                                                                                                                        Entropy (8bit):5.019310194487883
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:8LuThH+bhBabTxmOeup/vrwWATZgoVOBq9LRO:UbirwBDzO
                                                                                                                        MD5:FC0DB4142556D3F38B0744A12F5F9D3D
                                                                                                                        SHA1:B0595044C4CAC49FE89B982E6AEC9BAFF38460AD
                                                                                                                        SHA-256:8FBEB7F0B546D394D99B49D678D516402E8F54E5DEA590CC91733F502F288019
                                                                                                                        SHA-512:F2F29DB5F3B0E13BC0B1FE738EF90B65D82E5513D0F82EB663C39313C5EDAAB53FDEB4BCC0493374253B2994B927CFD5764F5FEDAFD2E3F570D09893F9B26582
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="InstallHeader">Welcome</String>.. <String Id="InstallMessage">Setup will install [WixBundleName] on your computer. Click install to continue, options to set the install directory or Close to exit.</String>.. <String Id="InstallVersion">Version [WixBundleVersion]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Previous version</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninsta

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\thm.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):6472
                                                                                                                        Entropy (8bit):5.2470152236657706
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:SfF9OXcXRja6O4z96DY1ZHaFhikGg3znCO88mesP33sw2:SfJaoTE
                                                                                                                        MD5:F2FFDD5BEC2D3D057E68C4DBFCEDC57E
                                                                                                                        SHA1:0F0C7125A543BD73AAB1D82807AF5EF98FCF0C17
                                                                                                                        SHA-256:6D96E1048D409CB12A02F331AE84688848BC31416E49E475565216C514B30485
                                                                                                                        SHA-512:011EEBA0084223987905ED42EC40D24D575BCA9B9D0294C650A538BE35950055877FD3B31CB8B20F047C067B722C9AFB3A28B87C29AEF0F907B0E49A03EF2AB6
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="495" Height="310" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="400" Height="70" ImageFile="logo.png" Visible="yes"/>.... <Page Name="Help">.. <Text X="11" Y="80" Width="-11" Height="30" FontId="2" DisablePrefix="yes">#(loc.HelpHeader)</Text>.. <Text X="11" Y="112" Width="-11" Height="-35" FontId="3" DisablePrefix="yes">#(loc.HelpText)</Text>.. <Button Name="Help

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\.ba\wixstdba.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):179200
                                                                                                                        Entropy (8bit):6.528352683227767
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:Pl5bBa/bNK3w4AY6CHGN6XZhuEvY2P9bK6SEPZY/Sq6QY9vJ/SLi9Y+WxhslrN1j:PlPa/bN+w/YhzXZhyQK6zPucy2jblx1j
                                                                                                                        MD5:8CA04519005AD03B4D9E062B97D7F79D
                                                                                                                        SHA1:DF53ED9440D027401D502F3297668009030350A7
                                                                                                                        SHA-256:7B9F919A3D1974FD8FA35AD189EDC8BF287F476BD377E713E616B26864A4B0D3
                                                                                                                        SHA-512:1A29E9E9BD798C892A7CD3CD4FF259195E4A92E26F53E8F1A86C75C5EB8FDDA58CEBA312CD791651FAD5CE04529696195815A4BA5C143AD52A5EA0D7C539BB77
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........Qq.}Qq.}Qq.}..j}Xq.}..h}&q.}..i}Iq.}...|@q.}...|Aq.}...|Kq.}X..}Uq.}X..}Lq.}Qq.}Sp.}...|Hq.}...|Pq.}..d}Pq.}Qq.}Pq.}...|Pq.}RichQq.}........................PE..L......Z...........!......................................................................@....................................................................4.......T...............................@...............\............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\PluginManager_1.0.24095.1.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: S&P Capital IQ Pro Plugin Manager, Author: S&P Global Market Intelligence, Keywords: Installer, Comments: S&P Capital IQ Pro Office, Template: Intel;1033, Revision Number: {F16935F8-F23A-4720-BD54-71BE8DB064DA}, Create Time/Date: Thu Apr 4 17:08:44 2024, Last Saved Time/Date: Thu Apr 4 17:08:44 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4820992
                                                                                                                        Entropy (8bit):7.944154231922389
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:bzlHHxYRemOM+Q3+I45LfQQTNTSOz+0uStN6BYRtWljyGqhF:dCerfqaLoQTNGOzmwwBY3WjG
                                                                                                                        MD5:E3DE50D65FFECF14BA4A6BA04A011286
                                                                                                                        SHA1:B8135627D4ABE71BC7D51E4479D4A6DD1B9CF804
                                                                                                                        SHA-256:416F72EA80F4797B44C11C5B87049A29F36B5A0FC505C50E28BD9EC37EB6899F
                                                                                                                        SHA-512:8BFCA3BBC7625EE20A92932BFC02E51E00605DFF1CDA2D8DBC37303FCE457D5A5C82364E0B0D107098EC9E1A38C5AD36673825F9872AF74EF24B924E0F1265C9
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\PluginManager_1.0.24095.1.msi.R

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8
                                                                                                                        Entropy (8bit):1.061278124459133
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:cn:cn
                                                                                                                        MD5:34494BDF51B170AAC2642B349CD279AC
                                                                                                                        SHA1:B5187E0A2EBA982A99B6E7B98CA5672A424A8F0D
                                                                                                                        SHA-256:BE17E371BFA18DBEF22DCBCD3E73DA0C7D9A993273BEADEC46BE50511240C5AF
                                                                                                                        SHA-512:FED518BFF5EBC7D530B0B74AF67C418C820D0BD7C8A0F51831B4D9DA8BC3955591C27A3EB7D083C059921CA75D476E1CAC4B89988A1A54518B67366084D26224
                                                                                                                        Malicious:false
                                                                                                                        Preview:..I.....

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\SPCapIQProOffice_x86_1.0.24095.1.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: S&P Capital IQ Pro Office, Author: S&P Global Market Intelligence, Keywords: Installer, Comments: S&P Capital IQ Pro Office, Template: Intel;1033, Revision Number: {A34B3796-9442-4328-875C-4043632CEC59}, Create Time/Date: Thu Apr 4 17:14:30 2024, Last Saved Time/Date: Thu Apr 4 17:14:30 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):177909760
                                                                                                                        Entropy (8bit):7.999378812785999
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:3145728:Gur9MxsBd6qnpx2tnQBcXE/qWxiPBDx9g4j/pIBtPDf8DeDEdbAYo9A:Guqy9n2KCd2ORIBtUKD+AY
                                                                                                                        MD5:8972115A8C22F49F48522ADC11475E1D
                                                                                                                        SHA1:1799375A068C88A55D5703896CD5477FB9D45692
                                                                                                                        SHA-256:B354809355612AB26E579AD665732C76A3A70F6021299F35888836F0E63E88D3
                                                                                                                        SHA-512:3F2D7B4F7634EB8365D185193EF27ABBA9A7E39BC0F05DE6B34BEBD12E4792F9172653B81E0A0DA70BBE4B8FB09A289AA28997105F62A8179025379DF4DB3ACB
                                                                                                                        Malicious:true
                                                                                                                        Preview:......................>...................+................................................................ ...$...(...,...0...4...8...<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...|..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\{A5DF5AFE-B192-4687-96B1-CE307FC167B5}\SPCapIQProOffice_x86_1.0.24095.1.msi.R

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8
                                                                                                                        Entropy (8bit):1.5487949406953985
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:PX:/
                                                                                                                        MD5:6F4A9B55D681BA9000A765BFCAF7BBB5
                                                                                                                        SHA1:1D9E47DFBE3985F9EAB955D6D746C1DD49C85299
                                                                                                                        SHA-256:E43F11029AB9C1209939B9232839AEB7FD32426FD75B8339CF918919F23EF524
                                                                                                                        SHA-512:2707B00C73742D4CC3D14AA15185F30459F51E6933C2A17CFFE223A71F818B44F305FA86380E5555E7D2EB96B7E0A00539D268BE69B5B000D4278E8D9E848614
                                                                                                                        Malicious:false
                                                                                                                        Preview:........

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_atl100_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):158536
                                                                                                                        Entropy (8bit):6.098915148468926
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:dVNnO3HuFXpiplXV/aFt8KW3T5VJuefOA3KsuBCE+sm4dMRv95j:d/nO3HuF5U/aFt8K4T5e6OA3rMrdM/J
                                                                                                                        MD5:5A55E3E6F53592F8170623DEFA2B7954
                                                                                                                        SHA1:9DC27D575868FD01FA10EE90DCF15DE9DC0A7B46
                                                                                                                        SHA-256:B524543192E78A2C97D3EC9AA0CFCBBAA308439D3A33F9A1F4EDFBD3181D7919
                                                                                                                        SHA-512:56FBB7FE88B5FB354C43C43F8B96796924C6E5AB20B05E4B00EEC1143A179271369CA8EF4E6F484F2E3A7201A496131DA4C880FFE5EEEC7DA0C56F94E0984876
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................q9....q...........7..q8....q.....q.....q....Rich..................PE..d...s._M.........." ..........................8z..........................................@.........................................`...........(....p..."...P..p....T..H............................................................................................text............................... ..`.rdata..1n.......p..................@..@.data...`?..........................@....pdata..p....P......................@..@.rsrc...."...p...$...&..............@..@.reloc..2............J..............@..B................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):5574472
                                                                                                                        Entropy (8bit):6.6006863823150965
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:ieVGUT98ZkddTzv383FLOAkGkzdnEVomFHKnPA5:ieVGUT+edk3FLOyomFHKnPA5
                                                                                                                        MD5:5F4342C36142C4BC8736776283089A58
                                                                                                                        SHA1:A34FC8ECFD2C34EBB5AF6DE63C2C6FE2163B6EBE
                                                                                                                        SHA-256:DE96C788EC39A1764CE83790FDCC85717E101B07401B8D36EE97BE5246B66B93
                                                                                                                        SHA-512:D6B5FA74B59F8E0A0C221D121EFF282EF821E73CC742E2E37D78DFB19C1837DF6B3C75D19969878AB4BA871B95087587CC632D5CD9993089B158411293579032
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........O.|.../.../.../.V-/.../.V./.../.V!/.../.V*/.../.5/.../D`1/.../../.../../.../.V:/.../.../*-./.7/.../../O/./.2/.../.3/.../.4/.../Rich.../........................PE..d...5._M.........." ......+...)......})........y..............................U......ZU...@.........................................P.;......?;...... @.H.....=..7....T.H....0T..[....,...............................................+.x...X.;......................text.....+.......+................. ..`.rdata..g~....+.......+.............@..@.data....w...`<......N<.............@....pdata...7....=..8...,=.............@..@.rsrc...H.... @......d?.............@..@.reloc.......0T......fS.............@..B........................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100chs_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36176
                                                                                                                        Entropy (8bit):5.563055562115305
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:r5divsXxAptLkrHyTby9XVLSMi2jpvzK7s:7i0XxAptLUHCbyBVLl95zos
                                                                                                                        MD5:F07B4E23ACD59EBB95E95D79378FEB5C
                                                                                                                        SHA1:96DCC25A6CB9618714B122433006FA26A1E7374E
                                                                                                                        SHA-256:85E83BCCAAA6086F6CDDF066C8DBD15B60ED56FC244CA0DDC67071D797FFDED2
                                                                                                                        SHA-512:CED37AE53D74197F17DA206582F813ED3C0613FBBC05BE837686B0DFD42CF1D48673C31570BBD884D18C4E01732B27989A55493FF2F837F821BD19657948635B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d....._M.........." .........t................6].....................................)....@..............................................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100cht_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36176
                                                                                                                        Entropy (8bit):5.62623996952481
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:PuufpTVI4fO7kn4TJVM3i/EhKMMi2jXHUWtI:rpTVI4fO4noVM3XhKL9rHUCI
                                                                                                                        MD5:04F4B38C1DC37003C42D29FE405825B3
                                                                                                                        SHA1:8CFF7A74714037D4C04104F558B4F84B1CC11232
                                                                                                                        SHA-256:D556642E6330AA575CD5958AE97A2236FDAF9961B34231DF84E008FA728D8F2F
                                                                                                                        SHA-512:C66C8EBDE314FA85775C610335EE2B6B65F8A0160E245FF8C9F75A8680531D6B41E6C32CF4FAAF973E18D425E1D6025548009C6CA493713D73ECE15461EC670D
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d....._M.........." .........t................6]....................................Z.....@..............................................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100deu_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):64336
                                                                                                                        Entropy (8bit):4.137641677650506
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:hVPidQr0OWqnn0BDXQPu6V4aGCWRZ+e0petNSaQhp0vcsjsr8gWt8C1dCuf90U9C:hVidQr0OWqnnSXQPu6V4aGCWRZX0bhpD
                                                                                                                        MD5:008D45F7BD304EEDCB107D4C58FCE959
                                                                                                                        SHA1:5ED13336D6598344AC97B523298BBD974BCCE7D7
                                                                                                                        SHA-256:15A31E83E80AD15B039717FA509859CF21B8588601B5A57672B945808E3CE219
                                                                                                                        SHA-512:6B21EAB9162F9A9F38B6821D79B6199BF449072A2EE1E99EF11AB8CD3CDC984C949EA68DDB8EC4DDC52E7CE17DF2B80B1A2A0ACC07267B3CED4292FC982570A5
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d....._M.........." ..........................6]..........................................@.............................................................................P............................................................................................rsrc...............................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100enu_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):55120
                                                                                                                        Entropy (8bit):4.196818691521186
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:8gIdijcuEhCgyYo6B1CLPLNq5f/nWHBNheOU2fd54Mi2jpvTr6:vI0ifyYo6B8PLNYf/nWHNTdx95P6
                                                                                                                        MD5:91D051930E1AC33FBD9014FF3CB9B5BD
                                                                                                                        SHA1:B0C934B91C3F37DA0426DE44A34BE52C67DC049F
                                                                                                                        SHA-256:BEB5603CA76FB95EC17C980CB2AEDA258C69F25A55A58E3EFD20DF92AEAFD5A1
                                                                                                                        SHA-512:978A88D4AFE007A438D17C276BE6C3DB6C286BE25CA7868B6A836CDFEA1DA234AD5194E7ED7F7260459D958C730D3FBDFA2B254752B9C1470F04D966972C1850
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d....._M.........." ..........................6].........................................@.............................................................0...............P............................................................................................rsrc...0...........................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100esn_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):63824
                                                                                                                        Entropy (8bit):4.072258396750348
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:zYE0Kv+BU6zH6rg/PKuCOCF3OKWRElJRZRIvp5Mi2jpv1:+A+q6zH68/PKuFm3OKWkRZRIc951
                                                                                                                        MD5:FBC74A6A0F47EE958EB800FF95B5CF44
                                                                                                                        SHA1:977C350A96AF8E9D8DEDFEAE4BEC9DCE661ADC86
                                                                                                                        SHA-256:601A385DA2B235AE8E3720BE29FA172FFB8E310C0B007789EFEDF4FB2AA70CB5
                                                                                                                        SHA-512:990950230D3D7F63E72597078F6FD1263F9AA81318A397E336D0987A527578912FFA64A76D842A812FAFF604D2F8C103EFB4761DA87B60E2E4FE6569272EA2B2
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d....._M.........." ..........................6]....................................yZ....@.............................................................P...............P............................................................................................rsrc...P...........................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100fra_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):64336
                                                                                                                        Entropy (8bit):4.11629693512726
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:Bqth26iN6NjZELqoYImN8YxAaTafCp5eFQZmZUjyyyyyyyyyyyyyyyUGQFUbWo2R:wNPqLqoQA2SCHj0jg953
                                                                                                                        MD5:94C963DCAA1BF515B57205716E485FD7
                                                                                                                        SHA1:2002ABAFF177DE0487F66DED368B7FDA47D51453
                                                                                                                        SHA-256:8D8A1BF1D8D53EF78F43056B16AE03DF7B7310912BCC6A95A8B7ADC6E23EB03C
                                                                                                                        SHA-512:5953341F9D7B000E5AA946A920C66FDC6B4E84372D48A9B7306D3CF8E60A8EB55C50E95B3117D744B5AE410B3ABB93ED68FCBEEF11CAC48D32CED2BBEDC4C178
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d....._M.........." ..........................6].....................................j....@.............................................................................P............................................................................................rsrc...............................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100ita_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):62288
                                                                                                                        Entropy (8bit):4.094451745479394
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:k6E6XaEYyqbK15MGHigDGxNIlW3gyCQQQjeqS1hDsiiUWTVIMi2jXHUm9:JaEOs5MGHigSxNIlW37oETN9rHU0
                                                                                                                        MD5:051237D05D8979B51CE1B0442CA61020
                                                                                                                        SHA1:2C255765753DA4A90E50F37E60C4B35D911317B0
                                                                                                                        SHA-256:595BBC3A700B399E226004408FE26F7E6F1E22239C92826A9F55F2B652F49C4B
                                                                                                                        SHA-512:BF11DA0C79967D11AD7BDFA18B565B42E60D7C0F9F4C9254176F6F5B28F1C273A7939994BF50D130CDDFBCCECB917ADAC485E15978EE89D614D5C873C669E09F
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d....._M.........." ..........................6]....................................h.....@.............................................................................P............................................................................................rsrc...............................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100jpn_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):43856
                                                                                                                        Entropy (8bit):5.448464311342031
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:ksTbayVn/K4tJxtr10/euKRHIWkMi2jpvG:xTeyp/Kq/uM195G
                                                                                                                        MD5:2DE6ABB69969C76510AEC9C072CFB65F
                                                                                                                        SHA1:0678C65777B5047E3F3DF3078599DA2610F8CFED
                                                                                                                        SHA-256:F4D0DE161B5610EC173391EF9C30EB9B363BA88CD90459EA679ED596B5F16098
                                                                                                                        SHA-512:C6DC19542A929AEE280574CEB4ECBCEBCD34148279397560CA39D0362B3CA9A58A1F70404CE16929264B0AD632754119C22B2F9C823E004F52C528CF50FABA22
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d....._M.........." ..........................6]....................................w.....@.............................................................X...............P............................................................................................rsrc...X...........................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100kor_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):43344
                                                                                                                        Entropy (8bit):5.55138917183126
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:SVz754LQTNharaHniJNB2I7CvqGMi2jXHUUw:A51TNhDniJv2I7Cvqx9rHUUw
                                                                                                                        MD5:317606B89047093DF45A157F254E5560
                                                                                                                        SHA1:7C08392B7EB327FDD7C0FCEF0D152361666257B8
                                                                                                                        SHA-256:1C664EACB6AA5022C7A6EFBE1EA4422F3F24DA9B37C5FDC97CCB95715C660999
                                                                                                                        SHA-512:7E105A9BD0756FEA6E0BEA63F9D0AC8A133DE9194543F9363C7FACBD66B63AEB6413CBB8CD810CE26B4538BC93255C80C987C5C7E72A8FAF1406B25CDCA04B21
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d....._M.........." ..........................6]..........................................@.............................................................................P............................................................................................rsrc...............................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100rus_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60752
                                                                                                                        Entropy (8bit):4.690496677324182
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:1URq/lFXOvhQuqN9TMIVhtZ3FckD+StMi2jpv2:LDXOvhkhTVG952
                                                                                                                        MD5:91377116A916085C1DB20F46A4EBC9D2
                                                                                                                        SHA1:93B2C5C1EED34202634778D55E52BC76740C42C7
                                                                                                                        SHA-256:A97B65D0F3B4F0A2A448D814FA11D1ABFEF4B019CB76EF6E3DEB052B36432CCC
                                                                                                                        SHA-512:FB2BECF1E82B3C9895AD497F0B7C1A3766EC8AA7C22B4C2C1286D4BE3A45FFF89DC5BC1D4AD032211697383C156CAEFF3BB11421C4FFB432234D7A9349142F8F
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d....._M.........." ..........................6].....................................U....@.............................................................................P............................................................................................rsrc...............................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100u_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):5601616
                                                                                                                        Entropy (8bit):6.579345436252858
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:ioIhyNlBnwwPKcsPFLOAkGkzdnEVomFHKnPA:iHhyNlr18FLOyomFHKnPA
                                                                                                                        MD5:76168DD534E0ADF0F30F0CA809525FCE
                                                                                                                        SHA1:DB1AD6BE6C601BDB37E8FA90159E488F7E4F4184
                                                                                                                        SHA-256:39955DBBE00391955FA8313FF1B9C815BE7B6AA615D36345E579476E789E91EC
                                                                                                                        SHA-512:30F4912F9E4BA8D6C17490AF0D2F1946D46758C1B0BB93DB7C1609DDBE6E3AA552CB0E6E1D75118EEF9A043FBE736CE0ADBB71A5623D3EA6B65C0E3DA9DC25E1
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........o.d...7...7...7.v-7...7.v.7...7.v!7...7.v*7...7.57...7D@17...7..7...7..7...7.v:7...7...7<..7.77...7..7O..7.27...7.37...7.47...7Rich...7........................PE..d...6._M.........." ......+...*.......)........y.............................0V......eV...@...........................................;.`.....;.......@.H....@>..:...bU.P.....T.4]....,...............................................+.....x{;......................text.....+.......+................. ..`.rdata........+.......+.............@..@.data....y....<.......<.............@....pdata...:...@>..<....=.............@..@.rsrc...H.....@.......?.............@..@.reloc.......T.......S.............@..B........................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):93008
                                                                                                                        Entropy (8bit):5.866040930545699
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:3zvi/x/md7ztOtoFWZuH8LSV0pSOlGAd95D:DvweRztOiFWZuH8LjpSOlGAd95
                                                                                                                        MD5:9256FEC63B2AC302CFBCA3D186B00807
                                                                                                                        SHA1:EA3CA7FCE7D473E7C6C161F0416C7963ECC13841
                                                                                                                        SHA-256:A99A2DE10AE40071852FD63D08D6C2EA9A0F115DAFCF7CC4F27FBC9BDE0B249D
                                                                                                                        SHA-512:21EF040D543AE5D617273E0DFB4461EFB16CC645898E46B6E3C520D36931B55331FFB76E15BC6803D81DFAA94DFA6281512BB4031BAD6516CC6DB60863F764F9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,...ho|.ho|.ho|.a...jo|.v=.jo|.s..mo|..!.io|.s..oo|.a..lo|.ho}..o|.s..}o|.s..io|.s..io|.s..io|.Richho|.........PE..d...D._M.........." .....H...j.......M........4z.....................................r....@..........................................c.......\..x...............8....T..P............t...............................................p...............t..H............text....@.......B.................. ..`.nep.... ....`.......F.............. ..`.rdata.._....p.......L..............@..@.data....i...p.......B..............@....pdata..8............J..............@..@.rsrc................L..............@..@.reloc..L............P..............@..B................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100u_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):93008
                                                                                                                        Entropy (8bit):5.872996954552546
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:7sOezFYw4a7i58fs3GJn8LSVFfbOlPEvv95b:YOeCVa77fs3Gx8LYfbOlPEvv95b
                                                                                                                        MD5:E513D681B3E763D0E44653041C129317
                                                                                                                        SHA1:F15E0EE390491D8F961801674028B5528A31F889
                                                                                                                        SHA-256:311739FEE33B091EA55801154C1CB4AC8A9A18FB6AC5F6FBF31D958307B3D0EA
                                                                                                                        SHA-512:3F98103117AE6A6539AE175FDD60390815178F060BB45885C42ACF3F73521B42CA15CE9C2DE5A41CC3A3B96EDE01BC6B567134BC5E90AE12B0A981603E0AC22A
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,...ho|.ho|.ho|.a...jo|.v=.jo|.s..mo|..!.io|.s..oo|.a..lo|.ho}..o|.s..}o|.s..io|.s..io|.s..io|.Richho|.........PE..d...D._M.........." .....H...........M........6z.............................0............@.........................................@d.......\..x...............8....T..P.... .......t...............................................p...............t..H............text....@.......B.................. ..`.nep.... ....`.......F.............. ..`.rdata.......p.......L..............@..@.data........p.......B..............@....pdata..8............J..............@..@.rsrc................L..............@..@.reloc..`.... .......P..............@..B................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcp100_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):608080
                                                                                                                        Entropy (8bit):6.297696245556828
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:uoBFUsQ1H5FH3YUTd/dfePA7XrNvEKZm+aWodEEGblH6t2:LFUsQ1H5FHdggrNvEKZm+aWodEEIH6t2
                                                                                                                        MD5:4F096D96285E06CD51AEF7D2D3DE04DA
                                                                                                                        SHA1:C90EF0EB5B1A0B1B85AD6792291747FB6307DCDB
                                                                                                                        SHA-256:5BB420FBE28315F2117376052BB8488CE84A3398DDA65005B8AE1F792017E9A8
                                                                                                                        SHA-512:80F558C50A71AD9C4930B3838B481E4FB453C38D57C91F7F70C1F86E4043B9A4FBCEC27D7C025285504CBF3BDE7C50B4770F18121D7818AC58E2EE9C2071F97C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..-`..~`..~`..~i.4~b..~{.;~c..~`..~...~..?~a..~{.9~a..~{..~P..~{..~Y..~{..~e..~{.<~a..~{.=~a..~{.:~a..~Rich`..~........................PE..d...\._M.........." .........f.......q........cy....................................."....@.............................................m......<....P...........=...0..P....`.......................................................................................text............................... ..`.rdata..-...........................@..@.data...0L.......8..................@....pdata...=.......>..................@..@.rsrc........P......................@..@.reloc..R....`......................@..B........................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcr100_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):829264
                                                                                                                        Entropy (8bit):6.55381739669424
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:3gzGPEett9Mw9HfBCddjMb2NQVmTW752fmyyKWeHQGokozS:QzJetPMw9HfBCrMb2Kc6ymyyKWewGzUS
                                                                                                                        MD5:DF3CA8D16BDED6A54977B30E66864D33
                                                                                                                        SHA1:B7B9349B33230C5B80886F5C1F0A42848661C883
                                                                                                                        SHA-256:1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36
                                                                                                                        SHA-512:951B2F67C2F2EF1CFCD4B43BD3EE0E486CDBA7D04B4EA7259DF0E4B3112E360AEFB8DCD058BECCCACD99ACA7F56D4F9BD211075BD16B28C2661D562E50B423F0
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........pm...>...>...>..>...>...>F..>...>...>...>..>...>..>...>D..>...>...>...>...>...>...>Rich...>........................PE..d...J._M.........." ..........................sy............................. ............@.........................................pt.......`..(...............pb......P............................................................................................text...F........................... ..`.rdata..............................@..@.data...L}... ...R..................@....pdata..pb.......d...Z..............@..@_CONST..............................@...text.....2... ...4..................@.. data.........`......................@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_vcomp100_x64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):57168
                                                                                                                        Entropy (8bit):6.313616205209308
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:EzxgpALeyRrDc5lTNqo4+E07LS2+/r9rHURj:EdgbyR/c5Xqo71p+/r9ot
                                                                                                                        MD5:3B66B408FF3AF1CCB25E096ABA23611A
                                                                                                                        SHA1:FEF88436F6EC339623F311DF83507B965D0324FD
                                                                                                                        SHA-256:67C5D600C0564DD201377FD06BC1A4B07BEFDFD30CF7FA410BD5B5C16D5D2CE4
                                                                                                                        SHA-512:529E1051B0D4736546664D54928AE1CE2CDDD3C8D767666C9F5F2679F6DB518C906C5893C155087F43E1FC1159C562ED2967C0F87B5C9A88E07A9E5FA946CD4A
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2=.ZSSPZSSPZSSPA..PPSSPA..P_SSPS+.P_SSPZSRP.SSPA..PWSSPA..P[SSPA..P[SSPA..P[SSPRichZSSP........................PE..d...W._M.........." .........F......hZ.........r..........................................@.....................................................<.......................P...........0................................................................................text.............................. ..`.rdata...!......."..................@..@.data...d...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..~...........................@..B................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\CacheSize.txt

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):5
                                                                                                                        Entropy (8bit):1.9219280948873623
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:r:r
                                                                                                                        MD5:0159F9DEA3074F872065734097155BED
                                                                                                                        SHA1:E46187D1AE82F667E48EE1962CD90BDD806481B4
                                                                                                                        SHA-256:AC45264F80CEA5811B7FEABCED505EFC5A53D52F4ADAA15FF74083D6E198AEC1
                                                                                                                        SHA-512:53A03E69425F623914411520E9C38D42905EB0C712428B313673EF7DDCB3CA416207D8A8FEE3962BAED9DB3CEAAB64D3CEB49150D9DC162C0260E685F258D64A
                                                                                                                        Malicious:false
                                                                                                                        Preview:4a4..

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):138056
                                                                                                                        Entropy (8bit):6.454887624220969
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:nHi2/YxBFZNAWH6Gk5BsyGfGM8EnwO95fF:BOFZKWaj5BstfbfDP
                                                                                                                        MD5:00D2C06A552F782C1F16ACF77DB765A5
                                                                                                                        SHA1:640FD59AE52C7C381D7696CE66668AEAAA25B711
                                                                                                                        SHA-256:F54FE6535538174C139B1B0CB2AC0753B2E34412153A443482CCAE53FFBC4DC6
                                                                                                                        SHA-512:BBDFA6945D57C49A886442A7D1032E08656D4999E614D5A0BE0D318832BE94520601D2DB9C0E3AFF5E083D7A1392C72FB38EAD2873520947E26993DAED7AC795
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&V.&V.&V..V.&V.0.V.&V.0.V..&V..V.&V.'V..&V.0.V.&V.0.V.&V.0.V.&V.0.V.&VRich.&V........PE..L...W._M.........."!.........x......5..............x.........................`......T.....@.................................T...(........"..............H....0..$....................................@..@...............|...........................text...q........................... ..`.data....0..........................@....rsrc....".......$..................@..@.reloc..8 ...0..."..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4397384
                                                                                                                        Entropy (8bit):7.044986254855662
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:wnXVMSRMlBoIafB/I6A9Xwk2px12CqRe+RM/kXben7XTWwt52n7/YRFLOAkGkzdC:wnX1f2CYo7XTqYRFLOyomFHKnPAT
                                                                                                                        MD5:A807596CB3CB377A1A687C9734D67A37
                                                                                                                        SHA1:29DD7CA9AF4085C6897788C1AFAADF59DD5D8B0E
                                                                                                                        SHA-256:496E1A21645ABAA90FA544C025E6F0DE1CBCBD5D060007A8A9E2FB5787655D0E
                                                                                                                        SHA-512:7534CC0BF5CFCF238FEFDBE47FA895E47D08F7545CFE2E9DCEDA703E7652060821E3CFF9F839E5BC78A11205B9A0FD1A5DBA47B845AE83D05A6005F49A224E28
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._.1...1...1.......1.......1.......1.'....1.......1.......1.......1.......1...0.H.1.....(.1.......1.......1.......1.Rich..1.................PE..L....)_M.........."!......*..d........%.......+....x..........................C.....OdC...@.........................@.*.......).......,.H.............C.H.....@.$..../..................................@...............8.....)......................text...3.*.......*................. ..`.data.........+.......*.............@....rsrc...H.....,.......+.............@..@.reloc...a....@..b....?.............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100chs_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36176
                                                                                                                        Entropy (8bit):5.565145082259986
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:Z1ndBysNKvsX0W2AWAJYbRWktLiBrHuuPgldyevyBbXVLN1TLXci2jpvbY:Z5divsXxAptLkrHyTby9XVLTMi2jpvbY
                                                                                                                        MD5:F7E75862299194C1B9103F7742EA7B25
                                                                                                                        SHA1:51A18051A8199A826AF854D724F600F3951C715C
                                                                                                                        SHA-256:09C2F7DD0970FA29984D8E92D8B3EE038BAC94228B30ABFB1AF11993A62C5356
                                                                                                                        SHA-512:93C8F3149BE532345DE57126FB0CC6BA0D65BFD5618171B90A83640249807292321193F7B8C880EDAC0894734AE3363AFEC49003E2C0A57D61334743439EBB1B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...p)_M.........."!.........t....................6]................................36....@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36176
                                                                                                                        Entropy (8bit):5.623062559496089
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:ruufpTVI4fO7kn4TJVM3i/EhKJMi2jpv9u:fpTVI4fO4noVM3XhK6959u
                                                                                                                        MD5:8280A96D8B44ABBFE8A22F19EAF9EC0D
                                                                                                                        SHA1:A7DC0249591477976A88026A4F9671C25C000DBA
                                                                                                                        SHA-256:E984EAEA8294F17D00B380B588679E209A2D87A4D77D68B58E65A0FCE979294C
                                                                                                                        SHA-512:4B23C8E1C4954F644848EB7D96AA78CEB16039FF6A5F1770F6342707BC72DB8D319328E5B1324018ABD661538503A69B571B7BFAC6E85F2654B143C333641D3C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...p)_M.........."!.........t....................6]................................!.....@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100deu_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):64336
                                                                                                                        Entropy (8bit):4.137117954467132
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:DVPidQr0OWqnn0BDXQPu6V4aGCWRZ+e0petNSaQhp0vcsjsr8gWt8C1dCuf9x9r/:DVidQr0OWqnnSXQPu6V4aGCWRZX0bhpW
                                                                                                                        MD5:4AF4B6E8A4D185B75122773562D25975
                                                                                                                        SHA1:A25E887DF095BBCC61A2DA3B9696AEA59A3B5EB0
                                                                                                                        SHA-256:1CCAC5A935128A4DB17197F248566C1FCC798F3C4C1A62A4C05745209F527FDE
                                                                                                                        SHA-512:0BF09D53966C6D8E5F3AF269E8DF7DEEC9EC0C73AD2CF702B1E95133212510B94116073520474A88C19BA73E86BFC3D46486B59B0FEE688BA9A716EDF8C7B985
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...p)_M.........."!..............................6].................................s....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):55120
                                                                                                                        Entropy (8bit):4.198533172081631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:BgIdijcuEhCgyYo6B1CLPLNq5f/nWHBNheOU2fd5SMi2jXHUQ:SI0ifyYo6B8PLNYf/nWHNTdr9rHUQ
                                                                                                                        MD5:F908FE45F8FE9E0D4CBE65F9FF5DF6DA
                                                                                                                        SHA1:55BDF4AD2DB61B8CD0B37011906B74A5505B3746
                                                                                                                        SHA-256:6FEC7C478F790D0EDCC4F0EFB2594A64878AC8FC8878B03F3611311C920E29BE
                                                                                                                        SHA-512:5F02643BC0F79129E2F48349D8594BBBAACEED50146B82AD880E27B6A512F263FCD69F2AD8E956BB147790F05AFE64729DE4A699261019AB509E89BE863F3063
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...r)_M.........."!..............................6].................................T....@.............................................0...............P............................................................................................rsrc...0...........................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):63824
                                                                                                                        Entropy (8bit):4.071025332838685
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:gYE0Kv+BU6zH6rg/PKuCOCF3OKWRElJRZRIvpGMi2jXHUU:1A+q6zH68/PKuFm3OKWkRZRIX9rHUU
                                                                                                                        MD5:9328256796EFAD2AC9632FD9A76EED95
                                                                                                                        SHA1:1540E2881F97E7C49E16FBEE5411E14A7019E6CB
                                                                                                                        SHA-256:29DBDBB0B49FE25E350ECB13ACF5BDEA19EF9E650CA7D035E398974A35115705
                                                                                                                        SHA-512:8DCCC5B29F6FEC20A49D88760D48134F0F6F6D5FBF7A23E11A63C4A6A51972DBEFF7AAD1BBBCF1B6DF24FBAA9BC61EB581B2FEBC617C49CDD34D4223A2403F54
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...p)_M.........."!..............................6]......................................@.............................................P...............P............................................................................................rsrc...P...........................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):64336
                                                                                                                        Entropy (8bit):4.116469441988545
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:Yqth26iN6NjZELqoYImN8YxAaTafCp5eFQZmZUjyyyyyyyyyyyyyyyUGQFUbWo2e:ZNPqLqoQA2SCHj0j/95zN
                                                                                                                        MD5:ECAF994DBDDE7409A4C2270CDA8177A6
                                                                                                                        SHA1:BD2FD0318A6A036D3FE0D7C1FD4E1235556B7DC7
                                                                                                                        SHA-256:B52BE52DEA598AB61516A35D34180BB94CE232F34E2D3482527EC9A790EFCF49
                                                                                                                        SHA-512:E0BBF39EF49F8B94CA6A2176ABCD86DAFBEA1AFD4C73689223D7ED7CE2ED0AD967B49897407A6DC1F1B5FDE83B3540A99464E6C13A39237F29153A0D94025A43
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...q)_M.........."!..............................6]................................S-....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):62288
                                                                                                                        Entropy (8bit):4.096027904670536
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:P6E6XaEYyqbK15MGHigDGxNIlW3gyCQQQjeqS1hDsiiUWTVHMi2jpvg:iaEOs5MGHigSxNIlW37oETK95g
                                                                                                                        MD5:D460F47453E2E186A981E1EB0DC7F6C9
                                                                                                                        SHA1:E00D69F5063F859D72A2622A35D3DC5EC81B3A9B
                                                                                                                        SHA-256:DB16717FF48F8FD073ED02D186CC5F71A7FD6D4D31A52753EEAFE5F0ABE178DB
                                                                                                                        SHA-512:1391DEC17E75D6D0BC23965518901521823C98658468C36742D0E9A358E071BC94F8511ACA6DE1AA7A7BE715111D8E78B007A82B2F48DC2CDE49977E30887B96
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...q)_M.........."!..............................6]......................................@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100jpn_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):43856
                                                                                                                        Entropy (8bit):5.447621036331157
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:NsTbayVn/K4tJxtr10/euKRHIWkMi2jpvFT:2Teyp/Kq/uMl95FT
                                                                                                                        MD5:BF7B39A609B1C84A888158BBE6CADC3B
                                                                                                                        SHA1:B77FE021F5B0C94CC97132C50086ED37128EDE64
                                                                                                                        SHA-256:90F0EF59DD22008CB092029D19D1D14E60504E9A0023DC0C4C56FE444270A627
                                                                                                                        SHA-512:A1B3FB45C938C148A96880996678AC2CF85BFC05FAC7FBA111255001B1C5F97AE0954F855C69936B6AB5C4A0079EDFC3A37FAD2B138DC6C55723CE4E7E805A5D
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...q)_M.........."!..............................6]......................................@.............................................X...............P............................................................................................rsrc...X...........................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):43344
                                                                                                                        Entropy (8bit):5.550778347897452
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:IVz754LQTNharaHniJNB2I7CvqAMi2jXHUt:G51TNhDniJv2I7Cvqn9rHUt
                                                                                                                        MD5:17F28E88C2006EB6447FB31F25D7D937
                                                                                                                        SHA1:C80F9EA7A596DF6F7F65ADD76E6AA64F5CACC752
                                                                                                                        SHA-256:47CEFC05B67EF82128DA16A6A007E4978D8C0DF24A2B8C2C3C34C8830E6F49FA
                                                                                                                        SHA-512:67A7F37F83205847416BCC6D8B9FAFF5CAD14BBBEF45BFF7843F1E43A2A1CEBD5D958118056754685BDA9BF923470974547CD632B31FFA7AD58F140CED8BA68D
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...q)_M.........."!..............................6]................................a.....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100rus_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60752
                                                                                                                        Entropy (8bit):4.6890295964295685
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:hURq/lFXOvhQuqN9TMIVhtZ3FckD+SfMi2jXHUwRM7N:nDXOvhkhTV09rHUwR6N
                                                                                                                        MD5:E25790E6E0612B621C8EA80206036672
                                                                                                                        SHA1:78DE33243AC083FCB57B2CFCFED52F5DC4CEC2DD
                                                                                                                        SHA-256:136DE86F96AE881A430724AE854D902749A0A72B3EDC17DF83E83257C511CBC5
                                                                                                                        SHA-512:E1F298A2BED0D5B632EC5EA81834FF4FD69084B79C37A63D8B5C7E7317A757E0CFCB9D311D585980A303D16640ED2C9224EE442BF3CD2ED7BB026E181599601B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...q)_M.........."!..............................6]......................................@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4422992
                                                                                                                        Entropy (8bit):7.012472770624414
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:jsWbb5oF0MUVVsK3vOGH+1TSlUE7vrffTTnm7ulf67NACOub7FLOAkGkzdnEVomK:jx5x3Ii6F7FLOyomFHKnPA+
                                                                                                                        MD5:F32077DF74EFD435A1DCDF415E189DF1
                                                                                                                        SHA1:2771393D56FF167275BF03170377C43C28EE14E1
                                                                                                                        SHA-256:24BB6838DEFD491DF5460A88BED2D70B903A2156C49FB63E214E2C77251ECA71
                                                                                                                        SHA-512:FB708E0949854998FB80635138C80AC05D77DCA3089D3E5974663DDF2376D6A03535DAE1A068514C3B58BC06C8E4078B37CFB6BC90F080F7F31FEFC972A34850
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._.r1..r1..r1......r1......r1....r1.'<...r1....r1....r1....r1......r1..r0.^q1...(s1....r1....r1....r1.Rich.r1.................PE..L....)_M.........."!.....P+..h......I:&......`+..._x..........................C.......C...@.........................P}*.P...HE*......p,.H............fC.P.....@.....`/..............................@N..@...................<)*......................text....N+......P+................. ..`.data........`+......T+.............@....rsrc...H....p,.......,.............@..@.reloc..Fc....@..d....@.............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):81744
                                                                                                                        Entropy (8bit):6.143527599899884
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:Koqh1BnXr5esH5YKT5bLQVDTpZx9OBR1g95:K/hvbz5YKT5bL2TpZXOBR1g95
                                                                                                                        MD5:DFAE4207CE3F2B3B88DABC6A7C73C450
                                                                                                                        SHA1:432A2FDDBB87BD13E4E40428E4C6A167EEBF7BF1
                                                                                                                        SHA-256:F7E920AB186D9F5F8218A012F9D6E603BF351C047CBFB6C4BF41850D50373A0B
                                                                                                                        SHA-512:577FF996023D7D00584E3657C73711B921FF2904E72536DE78224C07CD960672D3D035FC06EFEE85BA1F14CA86B03B699B7085B96CF2DC7362781BB4C96A0754
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l../(.|(.|(.|!.?|*.|6./|*.|3Q |-.|..$|).|3Q"|).|3Q.|$.|!./|,.|(.|..|3Q.|=.|3Q'|).|3Q&|).|3Q!|).|Rich(.|................PE..L...F*_M.........."!.....B...8......0O.......`.....x.................................t....@........................../......D)..x....................(..P............b..............................0p..@............`...............b..H............text....@.......B.................. ..`.rdata.......`.......F..............@..@.data....X...@......................@....rsrc...............................@..@.reloc..$............ ..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):81744
                                                                                                                        Entropy (8bit):6.150747808645515
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:jIzAkByS3ilE+38F6+bLQVFHzOBhOGf9rHUf:jKAkBrilR38FdbLuHzOB0Gf9of
                                                                                                                        MD5:0B6C9E162B102F7B819E61A80257CA92
                                                                                                                        SHA1:E7FB9B6A36E2F9AD381D00D14E1A20B541C70D94
                                                                                                                        SHA-256:D159D2AE0A3F73FD7489960320DF92ADEE9B481027785BC8B82F8A10C2E66808
                                                                                                                        SHA-512:53AEFE0592CF92C6EB3DB4D6FE32F75A2B1E0EB8D9C5B7AF334F3A5043589D6918412309CADA9B6B96A98F3BE7DB00647D3BAE52BB775D1EC1DEA810E0EC8982
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l../(.|(.|(.|!.?|*.|6./|*.|3Q |-.|..$|).|3Q"|).|3Q.|$.|!./|,.|(.|..|3Q.|=.|3Q'|).|3Q&|).|3Q!|).|Rich(.|................PE..L...F*_M.........."!.....B...P......0O.......`.....x......................................@..........................0.......*..x....................(..P............b..............................@p..@............`...............b..H............text....@.......B.................. ..`.rdata..@....`.......F..............@..@.data....p...@......................@....rsrc...............................@..@.reloc..8............ ..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcp100_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):421200
                                                                                                                        Entropy (8bit):6.595802017835318
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:zNb8zxr1aWPaHX7dGP57rhUgiW6QR7t5qv3Ooc8UHkC2ejGH:zNb8Fpa6aHX7dGP5Kv3Ooc8UHkC2eKH
                                                                                                                        MD5:E3C817F7FE44CC870ECDBCBC3EA36132
                                                                                                                        SHA1:2ADA702A0C143A7AE39B7DE16A4B5CC994D2548B
                                                                                                                        SHA-256:D769FAFA2B3232DE9FA7153212BA287F68E745257F1C00FAFB511E7A02DE7ADF
                                                                                                                        SHA-512:4FCF3FCDD27C97A714E173AA221F53DF6C152636D77DEA49E256A9788F2D3F2C2D7315DD0B4D72ECEFC553082F9149B8580779ABB39891A88907F16EC9E13CBE
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..d...d...d.......d.......d...d..Cd..K*...d.......d.......d.......d.......d.......d.......d.......d..Rich.d..........................PE..L...A._M.........."!.................<.............x.................................{....@.................................<...<.... ...............V..P....0..D;..p................................/..@...............p............................text...u........................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):773968
                                                                                                                        Entropy (8bit):6.901569696995594
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
                                                                                                                        MD5:BF38660A9125935658CFA3E53FDC7D65
                                                                                                                        SHA1:0B51FB415EC89848F339F8989D323BEA722BFD70
                                                                                                                        SHA-256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
                                                                                                                        SHA-512:25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):51024
                                                                                                                        Entropy (8bit):6.58747423701147
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:JS1woYlhhX8nAJ1I84lIFIKC4YWVbX+zZkaKpnnh5L2jmPGE7y/gDFMi2jpvD:8vYlL8AJMlIF7phVbeKVLSO+/H95D
                                                                                                                        MD5:A7E63D69F1D55A3662907ECD48B345CA
                                                                                                                        SHA1:6FD80A3C9134CC09AC7C353D64FF2B1E34D55206
                                                                                                                        SHA-256:887C58E0B5E315F2D9714BD4D0F8126EF615D5792BAAAE4C7B75409FDECB5C45
                                                                                                                        SHA-512:2564DE05FD1763E26A1B1E00603961EB2F53624005A11837DD1E798740AFAE3E0E7AB4D48E76CC23FECA0CCC509399659DF6E41976C3046D95CC600CAB87769E
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.>. .P. .P. .P.;..-.P.;...-.P.)..%.P. .Q...P.;...-.P.;..!.P.;..!.P.;..!.P.Rich .P.........PE..L...Y*_M.........."!.................W.............r................................{O....@.........................P.......D...<.......................P.......\.......................................@............................................text.............................. ..`.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAAddInAdapter_GAC_v10_enu_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):42248
                                                                                                                        Entropy (8bit):5.866888362291449
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:OzBk39BmxOVst4SCtrpuXYa1pbr/0K7yfKJ9Yu6dnPU3SERztmCJMadMardz/JiT:OzGfZs5CZqljd6rqnuOzVrGigz
                                                                                                                        MD5:2B1EB8CD53F0CC57779F04859F3C9B8F
                                                                                                                        SHA1:DCBBC441C751B2DAEF01A87E2E8835E86CFF498C
                                                                                                                        SHA-256:53EB64800783DF74E617977F8B48889D2573CF1E8561401B66FC73D153EC3D13
                                                                                                                        SHA-512:ECDE132EF41344E7AC383A8E0C02572FC6A3097F535A5F8D5862375A390B41EF044B924AFE35331516FAE1530A2E2E74D22EE99B85FBD2EF92FFF6DE5FDC84D4
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$p.W...........!..................... ........... ....................................@....................................O...................................4................................................ ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........*..0t..................P .......................................z..iN.L...-..KD)X..........*{..jh...t..93..c.7.#)HZ.;..L.0..nAd[.9f...o...7k3...*.%S.......x...k...q..X.i^w...%-/..m.Br`$:.((.....}....*..0..1........s).................s*.....{.....o+.......s,...z*............(..5...:.((.....}....*.......(-...o.....(/...-..*......(-...o.....(/...-..*..(0...*>.{.......o1...*:.{......o2...*:.{......o3...*>.{.......o4...*2.{....o5...*2.{....o6...*2.{....o7...*2.{....

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAAddInAdapter_Pipeline_v10_enu_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):42248
                                                                                                                        Entropy (8bit):5.866888362291449
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:OzBk39BmxOVst4SCtrpuXYa1pbr/0K7yfKJ9Yu6dnPU3SERztmCJMadMardz/JiT:OzGfZs5CZqljd6rqnuOzVrGigz
                                                                                                                        MD5:2B1EB8CD53F0CC57779F04859F3C9B8F
                                                                                                                        SHA1:DCBBC441C751B2DAEF01A87E2E8835E86CFF498C
                                                                                                                        SHA-256:53EB64800783DF74E617977F8B48889D2573CF1E8561401B66FC73D153EC3D13
                                                                                                                        SHA-512:ECDE132EF41344E7AC383A8E0C02572FC6A3097F535A5F8D5862375A390B41EF044B924AFE35331516FAE1530A2E2E74D22EE99B85FBD2EF92FFF6DE5FDC84D4
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$p.W...........!..................... ........... ....................................@....................................O...................................4................................................ ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........*..0t..................P .......................................z..iN.L...-..KD)X..........*{..jh...t..93..c.7.#)HZ.;..L.0..nAd[.9f...o...7k3...*.%S.......x...k...q..X.i^w...%-/..m.Br`$:.((.....}....*..0..1........s).................s*.....{.....o+.......s,...z*............(..5...:.((.....}....*.......(-...o.....(/...-..*......(-...o.....(/...-..*..(0...*>.{.......o1...*:.{......o2...*:.{......o3...*>.{.......o4...*2.{....o5...*2.{....o6...*2.{....o7...*2.{....

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAHosting_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):205544
                                                                                                                        Entropy (8bit):5.84381998804481
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:50ZVVxFlfJ57iPki4i14IBkb2/Demjzk27wxqWSDfKnFp6/Z/CP1WrFJgKtwFT6:O5Pu4M4IulAKWCc
                                                                                                                        MD5:D292E9B54C4F884E450AC308E4D0232F
                                                                                                                        SHA1:9EC5BFC1FE71455F06DD77F7E7BADBEF296FF2BD
                                                                                                                        SHA-256:1AC5DC84363C6D3233A80D7B5A3709E856FC5433FB9CE139666F65EBD602AB49
                                                                                                                        SHA-512:6E373A106688078EB6BA1A44D8F8901AE3AD932F4374F283F50FC54E6E3EC4AB02F85DA76246D697D9DBCE7F17646CF8E1139D0BF9B2B6B7370A01BE1B0DD2A6
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!.........N......n.... ........... .......................`......d.....@.....................................W........J...................@......x................................................ ............... ..H............text...t.... ...................... ..`.rsrc....J.......L..................@..@.reloc.......@......................@..B................P.......H............................E..P ............................................lg.v......%#.>..=.....;...f.'"."/...v.?.$....2>..!...:.."..........K....q..q..V8....V.&..s....vaGoN.],.......-:ov.(.....r...p(..........}....*...0...........{....-.*...(......&..}......*..............l....0...........-.r+..ps....z.{....-.*....i(......&..}......*...........#..l....0............}.....(....-.*r...p(....&.(......}......&..*...........*..l...R~.....(....(.......*....0..;.......

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTARuntime_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):83176
                                                                                                                        Entropy (8bit):5.613590399411666
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:FvQ+jyq2UX/RPLYyODdyoSNjSvYomC+L8XW/By/g6I+wVtB4dmg1ZqnBEPzmhK2v:O4VV8XW/Og9NCJ7qBEPzmo2y1AWYiw
                                                                                                                        MD5:D73E027DBDA77C7FCF26C28EDB82071C
                                                                                                                        SHA1:9E815D18EABD601CCA61F7D433DA7D3AE243CEBB
                                                                                                                        SHA-256:821575B7F57D2AAD01EC2F92F3D64870487A8248880EA355FBCA3336FDE04B8A
                                                                                                                        SHA-512:A8CECF84ECAED9101A4EB59B37D8303657151E18B871082DF2F7CA70D6C7CE058F9417F3311E54A161609AE381D912057D39A0D6166E695BBB4AD0436082DB7F
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!.................)... ...@....... ..............................S.....@.................................d)..W....@...............*.......`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......(..............@..B.................)......H.......Hq..t...........H<...4..P ......................................!...L.wPt.O...y.....E.....&...H..J..95.:....._a.gf..P....-].V...>..|..`....y...w...".|.>..\..I..U.W..%A.PXV..k.o./B.....S.+6..(....(....*&...(....*&...(....*...0...........-.(....*.u....,..o....*.u0...,!.o....,..o....u....,..o....o....*.(.....s...........+ ........o ...&.(!...o ...&...X.......i2.r...p..o"......&...(!...o ...&..o ...&.o"...*..................0..A.......s#.....-..(....o$....o%...*..+..

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTAServerDocument_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):202488
                                                                                                                        Entropy (8bit):5.705451277226982
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:krFKDbAtgNrfAw1bsO8YzN2HsBpmxRGlu6rir3+f/V3zYFHvz:krFAoOXcHfIfiE67
                                                                                                                        MD5:8A3F8453C6FC2BFA6FA02E5B75D29FE0
                                                                                                                        SHA1:935D13856D57FB7CC74BFE39E0D1FE0D9A5CDD8D
                                                                                                                        SHA-256:85DE742500E41EEB4A55A372C2A75346F96028850AFDDE07851F56E7AA3729E0
                                                                                                                        SHA-512:DB4D179CC150BD9889F2E75F4EB306DEB854E9F9BD8C6330C667F67C9F9040AD3D3CA35D17BD230CC1D4D94AB62FAF4D53762D7AD70F67FAEF6522DF245CA094
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!........."........... ........... .......................@......O.....@.................................<...O.......8.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...8........ ..................@..@.reloc....... ......................@..B................p.......H.......HT..D...........x....w..P .......................................?../...dZ...V.F..A........V.].$1PQ.../1..R..'....b!.'..qt..h.?..../b.J.7.!..l.....\J.r..0......M.........7.{.068@P.'..N.....0..I........(%..............-.r...p....(&...}......}.....s'...}.......}......}.....*....0..r..........(......{....(.............+.+.s(...zs)...z.(......{.........-...(.......(..........{.........-..{....o........*..........ST.......0............{........-.s*...zs+......{....o,..

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCommonImpl_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):359136
                                                                                                                        Entropy (8bit):5.754506187968688
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:6Avt62lWbUqiYcOOHoPPTmUemIlflINARkVAzXUsqJ0eNbuWRueAAR0OQ4pUE90q:fWbUqiBOYOYmw9I2Rd+SOQ4pUE9whQoE
                                                                                                                        MD5:FA5F878509B29DFEF9067E57E0C21CC4
                                                                                                                        SHA1:A04A68C5DCD3503BAF53C40EEE4261A6F3D7FDFE
                                                                                                                        SHA-256:A87BD3FC92F2A1ECFBA5AE03085E3C79F0E9BBDF72A887C3E3F45BCF9B674FA7
                                                                                                                        SHA-512:5B2642B458E65889F675BE9FEF6CC5DCF136AF828E0CEF06DD268FBCD84B1604302D1085207E055757533C5C368BB30F06D05874141CB6F57C1CA7E98599AD41
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%p.W...........!.........Z......."... ...@....... ...............................r....@.................................L"..O....@...V...........`...............!............................................... ............... ..H............text........ ...................... ..`.rsrc....V...@...X..................@..@.reloc...............^..............@..B................."......H.......lC..0...........@...,n..P ......................................GN.E....S..n.}..}.a.<s...C.s..p>..%.G...xo.>(2%\.?.m......b..A2-........V...yr....I..........eT...:..k..e......b_<.....v.(.....r...p(..........}....*...0...........{....-.*...(......&..}......*...................0...........-.r+..ps....z.{....-.*....i(......&..}......*...........#.......0............}.....(....-.*r...p(....&.(......}......&..*...........*......R~.....(....(.......*....0..;.......

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCommonInterfaces_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):92352
                                                                                                                        Entropy (8bit):5.90165645393091
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:0nOfOpzCJztUjm2ElyGv/NIvS1SHhodPxAoiStZp4uXhblMB/y8CKMduoUZK94HT:yy+zGztUjm2oNIv5oiIZZ38C8D4evp
                                                                                                                        MD5:6D9332789EF81CD81656B0EF1F6C03E3
                                                                                                                        SHA1:7F70B0FDB0D6F811AC280B17E075976A667424F0
                                                                                                                        SHA-256:D4A52D7B6CF2A8F1743A2C854F57A77DED532D5FBFA575FC578D87613D287E11
                                                                                                                        SHA-512:BEC66FDBC40BAC1AB43D218C8DD5AF1A06C3D0E3F1FB72A3C099154BD7BB4BDC5C171E74B4C429AD8057FAACF21B9E24848CEE1166D0C65466C5E730D424E9F6
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!.....&...&.......D... ...`....... ..............................W.....@.................................PD..K....`..."...........N...............C............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...."...`...$...(..............@..@.reloc...............L..............@..B.................D......H........ ..."..................P ......................................q.l^..qb..n.2..d..a..l]z.J....V.~...../.':...v.1....)....?l6.~..nF..p.0.........?...Q.&......c....G.u0..m.?sf7.2j.tS.n...../BSJB............v4.0.30319......l...|p..#~...p..0?..#Strings............#US. .......#GUID...0....r..#Blob...........W?........%3............S...!...k...1...o...#...................`...#...:...................................................8.....8...............<.)...H.)...N.)...

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOContainerControl_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):77040
                                                                                                                        Entropy (8bit):5.565072253187021
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:Uskby0ayhkM+TeVCB5+G9cTvdQc1bqMsDkbq7pavgNi6m2:UDbyihcwqH1aYNjm2
                                                                                                                        MD5:F910271F3A8238043D203F85DEC694F1
                                                                                                                        SHA1:5E2125DB6EB50F15CEFD61BBD3CC77118999AF2E
                                                                                                                        SHA-256:B12BE839A0C3648E0EB0162B52664B721C43439950D12DF1C74306E87BC1D51D
                                                                                                                        SHA-512:3BF6BF97A6E14681E05AC01CCC00E14774EDCF6105302ED7923569DC7556CDAAA9BB0AEA605BAC9D18DCCEC1BC70AC691D69E6238C3B244B2F80004E5FBDDE8C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n.W...........!.........>........... ........... .......................`.......j....@.................................h...S........:...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....:.......<..................@..@.reloc.......@......................@..B........................H........H.....................P ........................................!a......).#.@..06;._..O..<~b.ILx.[...,y...........\}.9..j..=c Y..<.8.q.Z.# .U.&.....7..:R.S,.=_....<JXu.U...f.#.g.`.....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*:.(......}....*.0............o.......(.....*...................:..o.....( ...*..{....*b.(...........s!...o"...*b.{...........s!...o#...*..{....*f.{....-..,..o......}....*.

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOCoreInterfaces_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):16048
                                                                                                                        Entropy (8bit):6.246832594829866
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:a1LtwmrH+UCumkW/kwWn5q0GftpBj6hl2:a1fCSNiC2
                                                                                                                        MD5:31D8719918ED05F1E76856D7BF63CB5F
                                                                                                                        SHA1:D19F9DD6BEDFC4746DCF67E40598E6ED2435582A
                                                                                                                        SHA-256:36C38D2D084CE71DC48BEA1DC5C5FD4E58DF07F69C0947F4124799D9B5B5DE8D
                                                                                                                        SHA-512:EA96DA2167B9D8F02D09FB60E031750FE78528AE16E81F7407E0CAA922D767696AAFBD4490E0C3D46AA8261C4288EF892A6D38E55AE5B06C2ED0F417CB7419CF
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!.................1... ...@....... ..............................!c....@.................................41..W....@..,............$.......`.......0............................................... ............... ..H............text........ ...................... ..`.rsrc...,....@......................@..@.reloc.......`......."..............@..B................p1......H........ ......................P ........................................7m..+ozfJ`)..X.ei.._.np....A.......Os.>Wf^..5.0].9F.........t...M.9p.p/..c....E...}.SrRI..rX}..}..........a.2NyD.....-.BSJB............v4.0.30319......l...P...#~..........#Strings....L.......#US.T.......#GUID...d...p...#Blob...........G.........%3............................ .........................................].C.....|...........................).....B.....[.....v...........................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelHostAdapter_GAC_v10_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):78592
                                                                                                                        Entropy (8bit):5.985522657746736
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:bdbojRaLEJ2tF0Hdlyw7GL1w1IcT7TXLqdqCOHd2gmNHH:hYR63P8dlNGu1IcT7TXLqrgmNHH
                                                                                                                        MD5:690F000FC9F60DA8DBAD47D215D09DF7
                                                                                                                        SHA1:345779B80FA02C85089B9FCA42D772C7A4183F9F
                                                                                                                        SHA-256:C483F19916E499AA27DCB653928CE948AC143B99EA9EF1B8073D562DCC208718
                                                                                                                        SHA-512:348032651159FCFCEC8D2406F2DD7245D9E8E7CF966F84F7842A7E26C93589FD132CBC7536F06EEAABD8D42E05DE441027A04B10C577A1CBD70633EC95739B8A
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)p.W...........!.................-... ...@....... ....................................@..................................-..W....@.......................`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........Y..P...................P ......................................O.6....[r...#....q.g+W..EY...%..0.s..R..,...SV..s.{,D.L..K...>...O"?{.I....3..m...2..fv.|<.h.D.V:.G.....v.)..C(..1..-.N~U.....0..M........{....-9.(>.....,/.r...p.....(?...o@...oA...u......,...sB...}.....{....oC...*~..(D.....sB...}.....(....(8...*j..(D...(7...-..(....(8...*.0...........s(.....*..{....,..{....oE.....}.....(F...*..0...........oG.....oH.....-,.,)..$...(?...o@...oI...t$.....-.*.-..(J.....9.

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelImpl_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):467168
                                                                                                                        Entropy (8bit):6.0293163816901805
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:A6g4wRumoEBSvGpDMCDC1AW4e+TF/AVaqmRQGtIhyjmDs3lNiWTDV2:A6jwRSvQh42RNjN6qV2
                                                                                                                        MD5:1F39B00885B2ABD1E3F778CBEED4D52E
                                                                                                                        SHA1:AC6419682E85127E1BE20597747527051A5542F5
                                                                                                                        SHA-256:2DDC666D62EEFD436E5F79161D8D8F221F6832ACA36B8BDDD738185BBE2527D6
                                                                                                                        SHA-512:19EAEF5A9E26903985981F18DC91564D6201E3DB297DFD126819035C6D5A50CEA632CC998CBA96C2BA51ED03A6C1323197E692A9CD37AA873C5813C5B83D9CC3
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=p.W...........!................n.... ... ....... .......................`.......B....@.....................................S.... ..0....................@......h................................................ ............... ..H............text...t.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................P.......H............;..................P ...............................................yU.(,gh&.4..#....3ux..v4|{.}u.m..A.K]..D...M>l.am....i..o.H.~.......1./....D..&.P...}..t.k......$..Cs...U;...N.0...........r...poc.....,(.o_....1....r...o`...,....r...o`...og....r...poc.....9.....o_....>.......r...o`...9.......r...o`.....oe.....s.....s.....+,.o.....3#.o....r4..p(....,...rH..po....o.....o....-..o......+...(.........ob.......,...og.....(....-...........o......og......,..o.

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOExcelInterfaces_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):172224
                                                                                                                        Entropy (8bit):6.0621957003776
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:PWwMr8CSQ0dd5Xqp6J7OB6530Xgb3m61EC6r2vamwxBAZirV4S3:PnMr8CSQ09ap6Jy65Rm2vcJ
                                                                                                                        MD5:039BBF890E715252B2043976A11A7088
                                                                                                                        SHA1:3891B81FBBC9EAFD9E30601D82D98ECC1A83F4A2
                                                                                                                        SHA-256:7273DE7DD92423B725F2EBAF24766108B5753B76057A828EFDC1F32972B9F202
                                                                                                                        SHA-512:9100E240CFE39B5C709BBA9743D01DEC62A5FE4802C9B0A3AC6BD4E6A9ABBA9A6676B34A3E13498959908064330CA79AF06C23F7892005D65CDE9C3BE900ADAE
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!.....r.............. ........... ....................................@.................................x...S.......\............................................................................ ............... ..H............text....p... ...r.................. ..`.rsrc...\............t..............@..@.reloc..............................@..B........................H........ ...o..................P ......................................|6...#.V......7..".Er...k.(....s_ug..~.a.#.[...P...Z../6V....~..s..p.....rv.:.%(6...X`Qy;cYB.i.f..2O..q1Z.M.X5N=.n. I.....f|BSJB............v4.0.30319......l....4..#~...5..h...#Strings....t.......#US.|.......#GUID........y..#Blob...........W?........%3........7...a.......^...[......."...........6.......s...!...............................[.{.....{.....{.....................!.....,.....?.{...J.{...W...

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookHostAdapter_GAC_v10_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):42248
                                                                                                                        Entropy (8bit):5.7018029445980405
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:5c1JB9Xaefxf2ZquXoQGaVL6rqnig3HAJiRG:e1JHXtp+ZquHVZigXoN
                                                                                                                        MD5:C66A1DEFDE8C07B998033ED62FB95181
                                                                                                                        SHA1:3EC046B1496D9667C4695768781E4404D7181244
                                                                                                                        SHA-256:8D846C2EED04015608608D47BC809640D1EBA20783226DEDE732A65AC32A9F05
                                                                                                                        SHA-512:4EB48351E9BBF0293DAC3C7E92E5C7B8D9D896E64B68F9FC9DBAC33EFFFD1A7747CFB8EEDFFABB653A4DF8A89F3B0D7950EB013D3C81FFBACA01131C66C57CEF
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(p.W...........!..................... ........... ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........1..Tl..................P .......................................8..W..'.W....t...].G..(......G....;...9ll..G:....D........R..-[.....s)..4.........?.hcc...V%/[../.^.....;..1)....N0W.3i&."..( ...*....0...........{......,...o....*...0..)........{.........(!...t......|......(...+...3.*....0..)........{.........(#...t......|......(...+...3.*"..($...*...0..)........{.........(!...t......|......(...+...3.*....0..)........{.........(#...t......|......(...+...3.*....0..

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookImpl_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):140512
                                                                                                                        Entropy (8bit):5.8554648630984545
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:MsjLPfRUqxc0O/t4DErSu9e7EMaggaqRmDPRVTCZKe:MsfPJUqxy14DEF9e7D3gaqRQPbYKe
                                                                                                                        MD5:475105C48EA1869B12A5B63C7A7FD2E2
                                                                                                                        SHA1:C702AB4C1EBC053716155655636459DCB278AA45
                                                                                                                        SHA-256:CEC7EE8365759CA49C3CE791BD32D25DF729AA91EA1E3AEBF55241A3D8891C63
                                                                                                                        SHA-512:64153B826D5C88DFED27908A06205052C438098DC897373B39F48E0E130CB12269164803441C76F28E5CF2BD192A1286806ED23C32E425234D9BFB70F7AA682D
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4p.W...........!.........0........... ........... .......................`............@.................................p...K........-...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....-..........................@..@.reloc.......@......................@..B........................H.......<v..............0Z......P ..........................................0.w..0..c.)P.1.'y....$"."d.. ..=XZL.......a.}d..rzc.....;....D,.Y.4XS.`....#c.>.^D.A_..m%...7?".=d6N.sC..d.....d..q!.&...(%...*...0..,........-..(&...+...-..('...+........((......s....*.s....*"..s....*"..s....*.si...*......sC...*.s ...*..s!...*:.().....}....*...0............(*...,..*.o+........(,...o+...(-...,6.{....-'.{.....%...(,...o....t%......s....}.....{....*.o+........(,...o+...(-...,..{.

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOOutlookInterfaces_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):57024
                                                                                                                        Entropy (8bit):5.847542839970429
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:TRXrTM8QOkqNHEJLgp9DItLnKDiQ0fWS24sbxocNAwkEGjhl2BOBaBnD/sxFsNKV:CSk2HQq9DXbfnQ
                                                                                                                        MD5:E4EAAB2F359419819C2099ADAB9BCEB3
                                                                                                                        SHA1:316E9F1516D0989D0EAFFAA26A2F06AE4AE7EA13
                                                                                                                        SHA-256:203FEC93F0FE4FE03CB8C44E8E284F8A95E0E14778DF08C9632A1A0CE09F92AB
                                                                                                                        SHA-512:C662576125A59CBC23746B182758061241D1A078CDD47D05384539D2B80167E00F4423D8CCD2B3EF0E54965E0AE814772819EF840CD8CB52CEFB0FE0014EE6A0
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!..................... ........... ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........ ..@...................P ......................................BC.N....:C!....P...`o........b.|;3......i.AC..J....d*...........)..v*r*...{'.....X.,...B.90c.......aH.k8..Q.g.......SqT ZBSJB............v4.0.30319......l....6..#~..p6..l$..#Strings.....Z......#US..Z......#GUID....Z..LI..#Blob...........W.........%3........A.......?.......b...,.......4...2...............:...p...........................-.N...e.N.....k.......................................'.....3...

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_amd64.enu

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):365288
                                                                                                                        Entropy (8bit):5.889294906557911
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:6BijFKiOKL/u3RW1NvAbugFh/jLqthte2Seh6GVa5DU91Tp01sq9kAaCsrmvKSpA:KIZrvgQKA91TnAa1KPvA
                                                                                                                        MD5:2BDD07562C13A92A57258C8CC220220E
                                                                                                                        SHA1:CE6E3F80AFEC337C333E62DC0B617E1BE375118F
                                                                                                                        SHA-256:9C6F971B3148CDA5C7E8625BCB7917D17DAF3B7C52858A269894735714D9B294
                                                                                                                        SHA-512:DFC98DC70E1596591183558547245681DD15327AB941350106CEDA3EF9DF3817F72E966F64C66C07EC946C2CE4B0002AFF8F8ED9F3527917A644070BDB271EDE
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... p.W...........!.....^..........>|... ........... ...............................T....@..................................{..O.......<............x..............L{............................................... ............... ..H............text...D\... ...^.................. ..`.rsrc...<............`..............@..@.reloc...............v..............@..B................ |......H.......<...................Z...P .......................................FO.....%G..b....$........$..Z............. ...)..=.@....b..:2..@.........G............mY&....Ry.HB*..V&..u......y...:B...0..'.................r...p...r...p...r...p...r...p..}..............r...p...rp..p...r...p...r...p..}..............r...p...r...p...r...p...r...p..}..............r...p...r...p...r...p...r...p..}................r...p....r;..p....r...p....r8..p...}................r...p....r;..p....r.

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):398560
                                                                                                                        Entropy (8bit):5.87849924015444
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:sdxlMI0R4F60aGf0TX1zvAPuiFvVTLqtdte2Seh6mNfkGVq1XRQq7q9kAaKlVmlJ:lFva9GVq1XpAa8jsGO
                                                                                                                        MD5:32C2642BF0D52BC5B7C465592206FF42
                                                                                                                        SHA1:878C012CDF57FC5066C8C2DB112599BB2F3882C5
                                                                                                                        SHA-256:14D976A0D22AEFFB8B8692D0220712958D8A58D6EAC8A16629578968CC12A16C
                                                                                                                        SHA-512:7C851A0270FFDE68665A9F2D02714391884E72F8DA7833372E56812A9EF1558F048DD2B49AA3704B871C1F5B8519BD4FADB6005C9A6565CD0C74F7FF77B84C9C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)p.W...........!.........P......^.... ........... .......................`.......'....@.....................................W........M...................@......h................................................ ............... ..H............text...d.... ...................... ..`.rsrc....M.......N..................@..@.reloc.......@......................@..B................@.......H...........t...............Z...P ......................................>..L.S.Dd.O.VD.?.Z$h.:.1.2PY.0...~.......Y./$].:...N#..K6.N.g...D.,... ..[R....T<......D.g#..:_-.*...j........%.......*....H.@..(....*.0.............-...+f.............|...o/............(0...-.r...p...............(....s1...z.o2...-...o3...(|.....o4...(5......r#..po....t.......r=..po....t......s6........o7.....rU..po8........s"...*...0..P...........~9........s:.......o;......o<.................|...o/....

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTORuntime_GAC_nomaf_runtime_internal_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):134384
                                                                                                                        Entropy (8bit):6.048595284787141
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:Hfg4S0dRp1s8PW/OvAza4KFvQFa8xVsbtglOJzgP2wNmqgEEFBt9Aa2CpKohxmXZ:/N1zvAuFvVyV2sUz8mqc9Aa2ONhxmXMK
                                                                                                                        MD5:6D6919FFFBA3A9F106B5766C76E25BA0
                                                                                                                        SHA1:11F899CCAB0E9F83F150BE4DA3FBFC5FA6CB5518
                                                                                                                        SHA-256:896C9548A56995232E171E37D99BBFDCB3A5396B6A008B039C0606DB32862F23
                                                                                                                        SHA-512:5DEDBA192EF48B645F512BC512CB16D78DB93F7398FB4D524672ACEEB5DE02F55CF1DB42A14B9D0FBF6AA8257391DADC541548E1B45E25D362D6DC1323AAB7E3
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!..................... ... ....... .......................`......n1....@.....................................O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......$................<..b...P ......................................;.J..y$.{>..L..WJF..#7.....X....&.2..;@.......n..v,..qJ.....a...T.....])..Jf#fn8.*H...$.....x6c..x..a/.f..`T.r....c..A......v.(.....r...p(..........}....*...0...........{....-.*...(......&..}......*..............4....0...........-.r+..ps ...z.{....-.*....i(......&..}......*...........#..4....0............}.....(....-.*r...p(....&.(......}......&..*...........*..4...R~!....(....("......*....0..;.......

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOV4Framework_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):28368
                                                                                                                        Entropy (8bit):6.06431947789161
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:DZPbNawkFSvPSN4J3DztyJbDr3Zcv/qLrVAtJClFp1WikgWiaCIc3q0GftpBj/:DHaVFSvPSNEtyJvrpcq9q6cQiF
                                                                                                                        MD5:792281F4CE5B8BD04CD66AE6E70CE8C2
                                                                                                                        SHA1:7CE2E33E74037D685F1F3EB13B2FFAB279C8F0CE
                                                                                                                        SHA-256:B4F59DD9BDA7212FC4AB2D9295A32A739508662D3D2072441A0B8173F9F685E6
                                                                                                                        SHA-512:2EBA9AEBFA2074BF6E13BB8FBCCBF11C337B75A87B78E4566D271227FF8931699A54DFCFA0BB4E26AB998042299BF7B0C786F027E8BE1C15B2BF19BFD48B28D2
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!.....F...........e... ........... ....................................@.................................te..W.......(............T...............d............................................... ............... ..H............text....E... ...F.................. ..`.rsrc...(............H..............@..@.reloc...............R..............@..B.................e......H.......89...+...........)..g...P ......................................!|i|"YHwX.....V.>.E.....9.....F...qg{*&A.a. .[.V/.\.5....Y.d..../.|T.+X....n.....#K.;tL..qm...5.<.4.|..a...gj...~G.k....f.:.(......}....*..{....*:.(......}....*..{....*J.(.... 4...n(....*N.(.... 4...n.(....*&...(....*.r...p([...*..0..#........r7..p............(Z... 4...n(....*..0..$........r7..p............(Z... 4...n.(....*.0...........(...............,..+.~......( ... 4...n(....*...0../........(..

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordHostAdapter_GAC_v10_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):84736
                                                                                                                        Entropy (8bit):5.954982023854298
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:5krEteCiTny7jWHfpSEZRwsexZG0YUBXfqiGi79dShdPq3:5k3gCbzexZG0YUBXfqidchdPq3
                                                                                                                        MD5:9EE188971F2C72786C45FF360F8A7EA2
                                                                                                                        SHA1:C75F5481E33B54476A0FC7AA2B23BAFF1C679A43
                                                                                                                        SHA-256:224C2DBAC57BA05D81CF51515CB765AB631A2E8D0BE7996E99DEFA6AAFD4F162
                                                                                                                        SHA-512:A279026560CAD898F7326D3A3CBB49DDCEC1E129222D2EEA32941191F3BE3D200FC613B20D6EECDE9850907CA493E2693672826593842913B00884ABBF859AB1
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(p.W...........!.....&...........D... ...`....... ..............................{Q....@.................................HD..S....`...............0...............C............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......\W..4............U......P ........................................|eX...Ex._L.v..%<Y.4.>.,.r.....@*.0p..is$zC..'C......u#..E.i...?..Q..}....a..1..%..@h..!.E7.&?.q./.W...h(...M,&..C..S%"..(J...*..s....*"..(....*"..(....*"..(M...*B...(N.....}....*....0.............(O..........(P...oQ...oR...u......,^.r...p.(S...- ..(......{.....(T...-..+..s....*../...(P...oU...(V...,...(.....(T...-..+..s....*.*..0...........oW.......(X.......(Y...&..*................"..(Z...*...

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordImpl_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):342744
                                                                                                                        Entropy (8bit):5.982870512753833
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:n00ASicZpLom0Wy0iwsC+KHIVKbHWuFvUOLKZXXZF6jJfIMRFxtZYg7eyXgMly3J:HlRAWy0iDCyVMvUYKZ+JICHNyPOE9YFK
                                                                                                                        MD5:0F4198D61DCA70CBD7398B907255D5E8
                                                                                                                        SHA1:93418E86B8386E2E920710A290B4BFBFC4A60C83
                                                                                                                        SHA-256:C6CABD9F19C77E1D66BF989933772AB0A180C2334665C93C997D2E2D0BBED23C
                                                                                                                        SHA-512:8A88889D244EEC9F6864504E74FE518417D8E02E8FAEE3878C5CCF05642462360C3507A51B35F1126A8CAFE121C4A75A587A4F32E209F5FC647881490B433FFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<p.W...........!.................4... ...@....... ....................................@.................................P4..K....@..0............ .......`.......3............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................4......H........)......................P ......................................U?..],...4<d(..X8h...E.*.b.;...b.9E..l..$T@......0.t......E..2.<v...I.g.e.Z.K..s.....f.......;."..4..!.Z.9....0tB...Eit..F..,&...(~...*..s....*&...s....*N..(.....(....(....*..(....*..(....*.0..3..........-..(....+...-..(....+.......(.....(.......s....*..-..(....+...-..(....+.......(.....(.....s....*..-..(....+...-..(....+.......(.....(.....s....*..-..(....+...-..(....+.......(.....(.....s{...*..-..(...

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_MSVSTOWordInterfaces_GAC_nomaf_runtime_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):142528
                                                                                                                        Entropy (8bit):6.172922408208914
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:urwVY+eaNZzPM8s08xsNj4SwAXK7Vs2gM2HOe+rCo3q:urwBZWkge7DuL/
                                                                                                                        MD5:0515D7371E5272DF1437886B3D25FDF1
                                                                                                                        SHA1:478B133956F5CE30B8F5964E4BCFA54FD83ED5FA
                                                                                                                        SHA-256:E3DE775B0074F30B3FF23903BD36FB49F3CB27C009C357054EB051636EE3262A
                                                                                                                        SHA-512:D8223962EB98B69E09483ED13CD720077F58282418EB84BF38AD9A51BCB2F74CA773E9862ED80F833AAE98ACC432D5685587A7C3552C350EE7296E71E54E0CC0
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!................."... ...@....... ....................................@..................................!..K....@..h....................`......<!............................................... ............... ..H............text...$.... ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B................."......H........ ..l...................P ......................................e$.....O..........j.N.'...c..d..z../.....4H>a%..n..$..0.Ac.2..JK.p.'.m.....r.0z=..v....i5S,..=..p#........}........\...VBSJB............v4.0.30319......l...H...#~.........#Strings............#US.........#GUID........a..#Blob...........W?........%3............5...^...?...............t...............@...&...0...........................l.................9.$...i.S...}.L.....S.....L...................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_GAC_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):25336
                                                                                                                        Entropy (8bit):5.532761393402751
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:Ep0wdaXOa1FTKJ9Yu6dnPU3SERztmCJMadMardz/JikPZ+81AWIYk3gW9fEQq0Gf:I0Ka+qe6rqnDIvFi7
                                                                                                                        MD5:3FA2AB96BFC1B9639D31CE0F47480CE0
                                                                                                                        SHA1:8FB01AF9B01FE4DB9674C624A53D61B98E820205
                                                                                                                        SHA-256:95D15CC66B3C0DD2AB102F1A062983780079F8728AF55452D039D456EA71DD69
                                                                                                                        SHA-512:DC7D8AE7C9B9B5E68809EABF9AF4E6DEF5C536FA8F08FFD2738717B8C022A0CA16341BE05824E210C29E027B2DB15125B5BCBF0D645A0306CD4CCCA4FA793460
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!.....>...........\... ...`....... ...............................c....@.................................4\..W....`...............H...............[............................................... ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B................p\......H........ ...:..................P ........................................O....@........jL....8m%...e.5. vQ..,....Fxf.i....;.(.........s`..5.X.?eS...})s.....d1Ps1.Do+j':.4.... +.P.%;...w$.BSJB............v2.0.50727......l.......#~..\.......#Strings....l.......#US.t.......#GUID.......<*..#Blob...........W.........%3................I...................I.......................................M.....g.......}.....}.....}.....}.....}.....}.....}...G.}...d.}.............

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.Contract.v10_Pipeline_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):25336
                                                                                                                        Entropy (8bit):5.532761393402751
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:Ep0wdaXOa1FTKJ9Yu6dnPU3SERztmCJMadMardz/JikPZ+81AWIYk3gW9fEQq0Gf:I0Ka+qe6rqnDIvFi7
                                                                                                                        MD5:3FA2AB96BFC1B9639D31CE0F47480CE0
                                                                                                                        SHA1:8FB01AF9B01FE4DB9674C624A53D61B98E820205
                                                                                                                        SHA-256:95D15CC66B3C0DD2AB102F1A062983780079F8728AF55452D039D456EA71DD69
                                                                                                                        SHA-512:DC7D8AE7C9B9B5E68809EABF9AF4E6DEF5C536FA8F08FFD2738717B8C022A0CA16341BE05824E210C29E027B2DB15125B5BCBF0D645A0306CD4CCCA4FA793460
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!.....>...........\... ...`....... ...............................c....@.................................4\..W....`...............H...............[............................................... ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B................p\......H........ ...:..................P ........................................O....@........jL....8m%...e.5. vQ..,....Fxf.i....;.(.........s`..5.X.?eS...})s.....d1Ps1.Do+j':.4.... +.P.%;...w$.BSJB............v2.0.50727......l.......#~..\.......#Strings....l.......#US.t.......#GUID.......<*..#Blob...........W.........%3................I...................I.......................................M.....g.......}.....}.....}.....}.....}.....}.....}...G.}...d.}.............

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10_GAC_amd64.enu

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):194312
                                                                                                                        Entropy (8bit):5.745345412688023
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:Jcs+QnXsia21rUBJeImxRGluQriZZ+2Z2X/kMFz2:JcsrRIHiHZ7
                                                                                                                        MD5:AC0A6E8409F77E657FB418B73DB04676
                                                                                                                        SHA1:08BE285CE270A56425E943C9C6D3DBBD9072838A
                                                                                                                        SHA-256:593688B5187FA15FDFD544565B02542058E1FEBAD8C88C2E31975BCBA56B1D81
                                                                                                                        SHA-512:21BE9ECF3ECBA12B86DA82DAC9173A7A5110C53872DBF678078E4D6E50FAA5CEC1386AF97B9236883924D289A03DC49C070A36BFC27F9F5CF30EE622B74B581E
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!..................... ........... .......................@......("....@.....................................K............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......xP..T................w..P ......................................uA..Q.r.....x..N.../.e...y;u..V~E)..|........w.[.O:........FCVe. .g.o.$"...?O.......*x..a.I.>.....i.#.A....'9...'..w....0..I........($..............-.r...p....(%...}......}.....s&...}.......}......}.....*....0..r..........(......{....(.............+.+.s'...zs(...z.(......{.........-...(.......(..........{.........-..{....o........*..........ST.......0............{........-.s)...zs*......{....o+..

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll_GAC_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):24816
                                                                                                                        Entropy (8bit):5.5688984151897865
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:M3K6a/IZa13KJ9Yu6dnPU3SERztmCJMadMardz/JikPZ+C7Wb0pWRy36q0GftpBD:M33qQ6rqnLHHkiZ
                                                                                                                        MD5:285673539C20A5F9E39FE4A6F6508808
                                                                                                                        SHA1:3CC5FE64383817972E65D666EDB8A80867777694
                                                                                                                        SHA-256:B96E28F80559472233FFE3E2CB859965DB3C2BDE0E41791212F3D8818CDCC126
                                                                                                                        SHA-512:043645B6E3061A36C4019D6CD013A54AE738072735BE6E2748F3046E92376FF44DEA3B842A96F1A956E5CCF2F02238CF469D6AA761A6C960D8CF370DC5C741BE
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!.....<..........n[... ...`....... ...................................@..................................[..O....`..p............F..............lZ............................................... ............... ..H............text...t;... ...<.................. ..`.rsrc...p....`.......>..............@..@.reloc...............D..............@..B................P[......H........ ...9..................P .........................................}Ea.._....:nVf9..5......{..$. 16<BJy.R.-...._.U.d...g,..........Q:.4..8...h...C...*....h.A....D.-..|\=`.M.B..t...iBSJB............v2.0.50727......l.......#~.. ...D...#Strings....d.......#US.l.......#GUID...|... *..#Blob...........W.........%3................I...................I...............................................................*.....H.....a.....z.............................$...

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll_Pipeline_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):24816
                                                                                                                        Entropy (8bit):5.5688984151897865
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:M3K6a/IZa13KJ9Yu6dnPU3SERztmCJMadMardz/JikPZ+C7Wb0pWRy36q0GftpBD:M33qQ6rqnLHHkiZ
                                                                                                                        MD5:285673539C20A5F9E39FE4A6F6508808
                                                                                                                        SHA1:3CC5FE64383817972E65D666EDB8A80867777694
                                                                                                                        SHA-256:B96E28F80559472233FFE3E2CB859965DB3C2BDE0E41791212F3D8818CDCC126
                                                                                                                        SHA-512:043645B6E3061A36C4019D6CD013A54AE738072735BE6E2748F3046E92376FF44DEA3B842A96F1A956E5CCF2F02238CF469D6AA761A6C960D8CF370DC5C741BE
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!.....<..........n[... ...`....... ...................................@..................................[..O....`..p............F..............lZ............................................... ............... ..H............text...t;... ...<.................. ..`.rsrc...p....`.......>..............@..@.reloc...............D..............@..B................P[......H........ ...9..................P .........................................}Ea.._....:nVf9..5......{..$. 16<BJy.R.-...._.U.d...g,..........Q:.4..8...h...C...*....h.A....D.-..|\=`.M.B..t...iBSJB............v2.0.50727......l.......#~.. ...D...#Strings....d.......#US.l.......#GUID...|... *..#Blob...........W.........%3................I...................I...............................................................*.....H.....a.....z.............................$...

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_Microsoft_VisualStudio_Tools_Applications_Hosting_v10_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):155896
                                                                                                                        Entropy (8bit):5.936939971871943
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:u0anyn/CiBk6HOIz42IJqFF/0/UAWwfrjek7G:yn+VEDK
                                                                                                                        MD5:6E8A6DCA101D25EE36643EDDA12E8E9A
                                                                                                                        SHA1:8EF0D15A218A81DEF0F9A69E86802C98B555BAB5
                                                                                                                        SHA-256:6170654D00BD41BEE3AFB11A1015505F69DB7B38D942D9F11F06A66C1CD2E4C2
                                                                                                                        SHA-512:B291EF6C47E4694A73DE47A7928549DB6E1554861CA6B2796E51E7D7D8208F720534F7C1F534FF80E53296D09959B43D4340C394B45636B7DDC70D699140B237
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!.................L... ...`....... ..............................a.....@..................................K..K....`...............F..............<K............................................... ............... ..H............text...4,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............D..............@..B.................L......H.......H....s..........p....E..P .......................................T.no...+...M.R..I..o..q...ndIq.E...W...x....(....S....U......Q.n.....-....K.Q.+...Z...LvT..>....W'.oH.g.$z..q..&.... v.(.....r...p(..........}....*...0...........{....-.*...(......&..}......*..............e....0...........-.r+..ps....z.{....-.*....i(......&..}......*...........#..e....0............}.....(....-.*r...p(....&.(......}......&..*...........*..e...R~.....(....(.......*....0..;.......

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOInstallerUI_enu_x86.3643236F_FC70_11D3_A536_0090278A1BB8

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):10920
                                                                                                                        Entropy (8bit):6.39100132011914
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:iOSWVjzWET/XE9uDBks/nGfe4pBjSjl/3G:iOSWVjzW2fEQq0GftpBjG/3
                                                                                                                        MD5:398CBD4566BFCD234BF55E3D41414901
                                                                                                                        SHA1:C4EDF64DDB8C2FD6F704FDF9FBEDC543D50DDE01
                                                                                                                        SHA-256:30F865D272A9D5F4D1011AEC948238260234D144B174FB3F9F019B0E20F3B542
                                                                                                                        SHA-512:B318E04C0DF60D06E568EF9A475AAE5D103F1745DE14B5E886A3C099ED97CF2570B6C7976EB83F7EB891C0CDC74DA9D8187A47498670B08E9876AF7FC30A1259
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.........{w.....z.....{p....Rich...........PE..L....p.W.........."!......................................................... ......5l....@..........................................................................................................................................................rsrc...............................@..@............................................................ .......8...................&...P.......................h.......................................................~........... .................................1.V.i.s.u.a.l. .S.t.u.d.i.o. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .S.o.l.u.t.i.o.n. .I.n.s.t.a.l.l.e.r...T.h.e. .f.o.l.l.o.w.i.n.g. .M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .s.o.l.u.t.i.o.n. .c.a.n.n.o.t. .b.e. .l.o.a.d.e.d. .b.e.c.a.u.s.e. .t.h.e. ...N.E.T. .F.r.a.m.e.w.o.r.k. .i.s. .n.o.t. .i.n.s.t.a.l.l.e.d.:. .%.s.

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOLoaderUI_dll_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19104
                                                                                                                        Entropy (8bit):5.311944128888412
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:pWZYkW65ls+lCi7ITaana46WWhjGaCIc3q0GftpBjR5:cYQ5ls+lCi7I2ana465hjGit
                                                                                                                        MD5:E344BC37ADA98A30E8171AA57AD67F1C
                                                                                                                        SHA1:5DA149AD77B7FE337EFE7B734C0ABEB29B28EDAF
                                                                                                                        SHA-256:CCA99846583340224A7D8D077D16AF3E8632151226262A1AAF8520BAC6A7F08E
                                                                                                                        SHA-512:14461E914F28A044C8B18D1F550C54966BADB140A471AB53870FE4204EB8FE2D7E66E8B079CAD8BE04B4C3630F0BF7ACA177D6DD29636D0E86BBCEC8AF681522
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L....p.W.........."!...............................C.........................@......u.....@.............................................h,...........0...............................................................................................rsrc...h,..........................@..@....................................................(.......@...............................................................................................0...&...H.......................`.......................x.......................................................................................................................................................................................................................8...............@...........8...f............9..n............+...............9..r...........

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\FL_VSTOMessageProvider_x86.3643236F_FC70_11D3_A536_0090278A1BB8

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):49840
                                                                                                                        Entropy (8bit):6.4623835739557585
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:W015HAbKOjSWmtSjDRQwxnGDZqPNpIi6JlfwBREi:f2eOESjvnGDO6JlfwE
                                                                                                                        MD5:60414DA8A4D11B7D04B45A63E4DB1F44
                                                                                                                        SHA1:A72612752F2EF599682A2B0672D4E22A25A69BD9
                                                                                                                        SHA-256:CE53125E407B5CB8BFE43493D04520CA49846CE48730BE3BAA4DCDA95C32E671
                                                                                                                        SHA-512:CD067C43361A8A75D98EB0B6205A831311F6020DC381673C157C3799BE7C03B231E4E9E598E4D31CB397006C490D1C910D3E350D96838BF126D301EE26DE4087
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#90pgX^#gX^#gX^#n .#~X^#n .#wX^#n .#.X^#n .#dX^#gX_#.X^#y..#fX^#gX.#fX^#y..#fX^#RichgX^#........................PE..L....p.W.........."!................Z%.............C................................9*....@....................................(................................... ................................"..@............................................text...,........................... ..`.data...............................@....rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\MSVSTOContainerControl_GAC_v10_amd64

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):63232
                                                                                                                        Entropy (8bit):5.917611256552373
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:Kan8MPqcyyaZM+TeVCB5+G9cTvdQc1bqMsmjDSBDlhIZ:UMPG7wqtDlhIZ
                                                                                                                        MD5:73658DEFE9E628A8FDEB1D5C05DDFF7A
                                                                                                                        SHA1:761D75372EB0B3F36CD0D3770C9CD07CC6237BF7
                                                                                                                        SHA-256:9F35441F95B491724A969BDEA022F4FF68429F3B5A56F5B2B8371B924D3F4602
                                                                                                                        SHA-512:BD6E3E330B05A103A0B7D50EF3F91FC007B72DE5C688B5CCF0BF5A7279624D1D24906F46E2AFD85A41FD29C8B9D27E19AD4C580019E0A4A7D3069501A54C4405
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n.W...........!................N.... ........... .......................@......h.....@.....................................S............................ ......4................................................ ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................0.......H........H..T...................P .........................................../!.*..+v(c.K7.T...;H.}..D63a..Z...1.....3..9....$v;..g.j....W..4.a.n=\...".....M}po..#.`tB.X.b1...z.X....*..Z....)..0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*:.(......}....*.0............o.......(.....*...................:..o.....(....*..{....*b.(...........s ...o!...*b.{...........s ...o"...*..{....*f.{....-..,..o......}....*.

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Excel.Adapter_Pipeline.v10.amd64.enu

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):78592
                                                                                                                        Entropy (8bit):5.985522657746736
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:bdbojRaLEJ2tF0Hdlyw7GL1w1IcT7TXLqdqCOHd2gmNHH:hYR63P8dlNGu1IcT7TXLqrgmNHH
                                                                                                                        MD5:690F000FC9F60DA8DBAD47D215D09DF7
                                                                                                                        SHA1:345779B80FA02C85089B9FCA42D772C7A4183F9F
                                                                                                                        SHA-256:C483F19916E499AA27DCB653928CE948AC143B99EA9EF1B8073D562DCC208718
                                                                                                                        SHA-512:348032651159FCFCEC8D2406F2DD7245D9E8E7CF966F84F7842A7E26C93589FD132CBC7536F06EEAABD8D42E05DE441027A04B10C577A1CBD70633EC95739B8A
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)p.W...........!.................-... ...@....... ....................................@..................................-..W....@.......................`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........Y..P...................P ......................................O.6....[r...#....q.g+W..EY...%..0.s..R..,...SV..s.{,D.L..K...>...O"?{.I....3..m...2..fv.|<.h.D.V:.G.....v.)..C(..1..-.N~U.....0..M........{....-9.(>.....,/.r...p.....(?...o@...oA...u......,...sB...}.....{....oC...*~..(D.....sB...}.....(....(8...*j..(D...(7...-..(....(8...*.0...........s(.....*..{....,..{....oE.....}.....(F...*..0...........oG.....oH.....-,.,)..$...(?...o@...oI...t$.....-.*.-..(J.....9.

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Outlook.Adapter_Pipeline.v10.amd64.enu

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):42248
                                                                                                                        Entropy (8bit):5.7018029445980405
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:5c1JB9Xaefxf2ZquXoQGaVL6rqnig3HAJiRG:e1JHXtp+ZquHVZigXoN
                                                                                                                        MD5:C66A1DEFDE8C07B998033ED62FB95181
                                                                                                                        SHA1:3EC046B1496D9667C4695768781E4404D7181244
                                                                                                                        SHA-256:8D846C2EED04015608608D47BC809640D1EBA20783226DEDE732A65AC32A9F05
                                                                                                                        SHA-512:4EB48351E9BBF0293DAC3C7E92E5C7B8D9D896E64B68F9FC9DBAC33EFFFD1A7747CFB8EEDFFABB653A4DF8A89F3B0D7950EB013D3C81FFBACA01131C66C57CEF
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(p.W...........!..................... ........... ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........1..Tl..................P .......................................8..W..'.W....t...].G..(......G....;...9ll..G:....D........R..-[.....s)..4.........?.hcc...V%/[../.^.....;..1)....N0W.3i&."..( ...*....0...........{......,...o....*...0..)........{.........(!...t......|......(...+...3.*....0..)........{.........(#...t......|......(...+...3.*"..($...*...0..)........{.........(!...t......|......(...+...3.*....0..)........{.........(#...t......|......(...+...3.*....0..

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.Office.Tools.Word.Adapter_Pipeline.v10.amd64.enu

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):84736
                                                                                                                        Entropy (8bit):5.954982023854298
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:5krEteCiTny7jWHfpSEZRwsexZG0YUBXfqiGi79dShdPq3:5k3gCbzexZG0YUBXfqidchdPq3
                                                                                                                        MD5:9EE188971F2C72786C45FF360F8A7EA2
                                                                                                                        SHA1:C75F5481E33B54476A0FC7AA2B23BAFF1C679A43
                                                                                                                        SHA-256:224C2DBAC57BA05D81CF51515CB765AB631A2E8D0BE7996E99DEFA6AAFD4F162
                                                                                                                        SHA-512:A279026560CAD898F7326D3A3CBB49DDCEC1E129222D2EEA32941191F3BE3D200FC613B20D6EECDE9850907CA493E2693672826593842913B00884ABBF859AB1
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(p.W...........!.....&...........D... ...`....... ..............................{Q....@.................................HD..S....`...............0...............C............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......\W..4............U......P ........................................|eX...Ex._L.v..%<Y.4.>.,.r.....@*.0p..is$zC..'C......u#..E.i...?..Q..}....a..1..%..@h..!.E7.&?.q./.W...h(...M,&..C..S%"..(J...*..s....*"..(....*"..(....*"..(M...*B...(N.....}....*....0.............(O..........(P...oQ...oR...u......,^.r...p.(S...- ..(......{.....(T...-..+..s....*../...(P...oU...(V...,...(.....(T...-..+..s....*.*..0...........oW.......(X.......(Y...&..*................"..(Z...*...

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10_GAC.amd64.enu

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36096
                                                                                                                        Entropy (8bit):5.714337584443591
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:76ght+fMtSM9jmxa1CFb1KJ9Yu6dnPU3SERztmCJMadMardz/JikPZ+3uW80NWty:OgX+EtkqP6rqnGlIFi9
                                                                                                                        MD5:9CE3E34553E9463065E39E53243BEBDB
                                                                                                                        SHA1:9DDB733EA384967C08E0A6E062DFCC177158AAB9
                                                                                                                        SHA-256:E709DD806D05EAF0FA59B80537BB1878B37AD57617ABE98DD7DE0092A5CE1A0A
                                                                                                                        SHA-512:09986226D679A4369F7646F4BB53FD6852C2040FBD7F6CD286215FD8D05A8826A4F464385F9289B46453B7EDC65505B4E4D410D34D140EF2540DCEF185C26E29
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$p.W...........!.....h.............. ........... ...............................r....@.................................x...S....................r.............................................................. ............... ..H............text....f... ...h.................. ..`.rsrc................j..............@..@.reloc...............p..............@..B........................H........+...Z..................P ......................................).B........bl.....+A<).........m..(.`.x*R..1..d:...\...BS...P.]....:..(..5..#.1.Z2..&d......5.@.&'..8.*...t%.SX....>.._.CN.(......s ...}....*.0..s........-.r...ps!...z.o"....(#...,.r...ps!...z.{....o$....o"...o%....o&....o'....o(....o)....o*....o+....o,....o-...o....*N.(......s/...}....*R.{....o0......o1...*N.{....o0.....o2...*N.{....o0.....o3...*R.{....o0......o4...*F.{....o0...o5...*F.{....o0...o

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10_Pipeline.amd64.enu

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36096
                                                                                                                        Entropy (8bit):5.714337584443591
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:76ght+fMtSM9jmxa1CFb1KJ9Yu6dnPU3SERztmCJMadMardz/JikPZ+3uW80NWty:OgX+EtkqP6rqnGlIFi9
                                                                                                                        MD5:9CE3E34553E9463065E39E53243BEBDB
                                                                                                                        SHA1:9DDB733EA384967C08E0A6E062DFCC177158AAB9
                                                                                                                        SHA-256:E709DD806D05EAF0FA59B80537BB1878B37AD57617ABE98DD7DE0092A5CE1A0A
                                                                                                                        SHA-512:09986226D679A4369F7646F4BB53FD6852C2040FBD7F6CD286215FD8D05A8826A4F464385F9289B46453B7EDC65505B4E4D410D34D140EF2540DCEF185C26E29
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$p.W...........!.....h.............. ........... ...............................r....@.................................x...S....................r.............................................................. ............... ..H............text....f... ...h.................. ..`.rsrc................j..............@..@.reloc...............p..............@..B........................H........+...Z..................P ......................................).B........bl.....+A<).........m..(.`.x*R..1..d:...\...BS...P.]....:..(..5..#.1.Z2..&d......5.@.&'..8.*...t%.SX....>.._.CN.(......s ...}....*.0..s........-.r...ps!...z.o"....(#...,.r...ps!...z.{....o$....o"...o%....o&....o'....o(....o)....o*....o+....o,....o-...o....*N.(......s/...}....*R.{....o0......o1...*N.{....o0.....o2...*N.{....o0.....o3...*R.{....o0......o4...*F.{....o0...o5...*F.{....o0...o

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.Runtime.v10_GAC.amd64.enu

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36088
                                                                                                                        Entropy (8bit):5.714814957715409
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:UQOJrYa7mdessomj5R/yeizfa195r7KJ9Yu6dnPU3SERztmCJMadMardz/JikPZQ:UQOVYoxVUqT86rqnzVArpLLJiz+
                                                                                                                        MD5:5723A31744C0ADB46258B43A20E65605
                                                                                                                        SHA1:DB223BC1D371E0B5D2AC78854A5D0B2B4F6D6969
                                                                                                                        SHA-256:6EC069D1F49E55C02E4EAB7A73B2D60D368EC1A8105A6C90C479ADDE2EB37D17
                                                                                                                        SHA-512:EBFA24B14F2F19F371DCA70F24414CE3E76AB9840837ABC5AE9B70F484A49BE2E062CA253B248F6719BFBA84BFE1393CD7337FDA13F3811B474AB887BC0C857B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!.....h............... ........... ..............................\.....@....................................W....................r..............(................................................ ............... ..H............text...4f... ...h.................. ..`.rsrc................j..............@..@.reloc...............p..............@..B........................H........%..._..................P ......................................j.bB...Uz.r.......mC|..j.P...l.5.#.X./.x.._A..H..<.j.O.:o..2......py{.K..........%...=.........Q.jS.]...IKN.1E?(@......C...{....*"..}....*..(....*r.(......}......}......(....*..{....*..{....*:..}.....(....*....0..m.........}.....(.......2....1.r...ps....z...2....1.r'..ps....z..}......}.......}......}.......}.......}.......}....*.............(.......}.......}....*..{....*..{....*..{....*..{....*..{.

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Applications.Runtime.v10_Pipeline.amd64.enu

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36088
                                                                                                                        Entropy (8bit):5.714814957715409
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:UQOJrYa7mdessomj5R/yeizfa195r7KJ9Yu6dnPU3SERztmCJMadMardz/JikPZQ:UQOVYoxVUqT86rqnzVArpLLJiz+
                                                                                                                        MD5:5723A31744C0ADB46258B43A20E65605
                                                                                                                        SHA1:DB223BC1D371E0B5D2AC78854A5D0B2B4F6D6969
                                                                                                                        SHA-256:6EC069D1F49E55C02E4EAB7A73B2D60D368EC1A8105A6C90C479ADDE2EB37D17
                                                                                                                        SHA-512:EBFA24B14F2F19F371DCA70F24414CE3E76AB9840837ABC5AE9B70F484A49BE2E062CA253B248F6719BFBA84BFE1393CD7337FDA13F3811B474AB887BC0C857B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.W...........!.....h............... ........... ..............................\.....@....................................W....................r..............(................................................ ............... ..H............text...4f... ...h.................. ..`.rsrc................j..............@..@.reloc...............p..............@..B........................H........%..._..................P ......................................j.bB...Uz.r.......mC|..j.P...l.5.#.X./.x.._A..H..<.j.O.:o..2......py{.K..........%...=.........Q.jS.]...IKN.1E?(@......C...{....*"..}....*..(....*r.(......}......}......(....*..{....*..{....*:..}.....(....*....0..m.........}.....(.......2....1.r...ps....z...2....1.r'..ps....z..}......}.......}......}.......}.......}.......}....*.............(.......}.......}....*..{....*..{....*..{....*..{....*..{.

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Office.AddInHostAdapter.v10_GAC.amd64.enu

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):64248
                                                                                                                        Entropy (8bit):5.85924635333732
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:ydgc7HHzMKqYyb6FZZ3JEMTt924zM8X79qZI3f6rqnbsWItfi9:zc7HHzMKpyGZ3Jr249XJqZqlbSf
                                                                                                                        MD5:2BA1ABB7ABE713860F352180B8B49BD1
                                                                                                                        SHA1:D6D5F503BB28E4F18120A5FD19D591F880D60ECB
                                                                                                                        SHA-256:4B27181554CD4C72AAC4731DA78661013AC2B077F172A7168B76D3B5F5838E6E
                                                                                                                        SHA-512:F70AE6522CD3F0A92EA46EFA79068906527430BD3CFA72B980B05555D360629EAAED701B85999E1AE0BCD4524AF4AF683426F2973CFD38B1146159E44EF2521E
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'p.W...........!..................... ........... .......................@......A.....@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......@B......................P ......................................a.....m-..J.o....7X...u..}1.....l..Q..............n..E...^.u...R.zJ..b.M.M|X......1......{.....L.pk...I"...XIE....}.u.vf3:.(8.....}....*..0...........{.....o.......(9...&.*.................2.{....o....*.......(:...o;...(<...-..*..(=...*..o>...*"..o?...*..o@...*R..(.....(A....(B...*....0............(.......(C....*...................r.{....,..{....(D...&..}....*Z.(I....,...sJ...}....*"..("...*"..}...

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\Microsoft.VisualStudio.Tools.Office.AddInHostAdapter.v10_Pipeline.amd64.enu

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):64248
                                                                                                                        Entropy (8bit):5.85924635333732
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:ydgc7HHzMKqYyb6FZZ3JEMTt924zM8X79qZI3f6rqnbsWItfi9:zc7HHzMKpyGZ3Jr249XJqZqlbSf
                                                                                                                        MD5:2BA1ABB7ABE713860F352180B8B49BD1
                                                                                                                        SHA1:D6D5F503BB28E4F18120A5FD19D591F880D60ECB
                                                                                                                        SHA-256:4B27181554CD4C72AAC4731DA78661013AC2B077F172A7168B76D3B5F5838E6E
                                                                                                                        SHA-512:F70AE6522CD3F0A92EA46EFA79068906527430BD3CFA72B980B05555D360629EAAED701B85999E1AE0BCD4524AF4AF683426F2973CFD38B1146159E44EF2521E
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'p.W...........!..................... ........... .......................@......A.....@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......@B......................P ......................................a.....m-..J.o....7X...u..}1.....l..Q..............n..E...^.u...R.zJ..b.M.M|X......1......{.....L.pk...I"...XIE....}.u.vf3:.(8.....}....*..0...........{.....o.......(9...&.*.................2.{....o....*.......(:...o;...(<...-..*..(=...*..o>...*"..o?...*..o@...*R..(.....(A....(B...*....0............(.......(C....*...................r.{....,..{....(D...&..}....*Z.(I....,...sJ...}....*"..("...*"..}...

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\VSTOInstaller_exe_x86.3643236F_FC70_11D3_A536_0090278A1BB8

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82592
                                                                                                                        Entropy (8bit):6.315109825968458
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:9lZ1INq9uCUOFVSiHdq+sxne2FPo1065sPMgurHdCOSdlQnkt:9r1Ig9uCRFRzsxeuPo10JOSdukt
                                                                                                                        MD5:7E1347AD5A9E91A36CFA6A1237C3B30F
                                                                                                                        SHA1:F32EC02135C55C4A1AB272A7910EF2E302F102D4
                                                                                                                        SHA-256:F88487B96F8A90427A78495A6F996310375D2CF803B2CB19BC026E644824FF7F
                                                                                                                        SHA-512:B0A8A6AA8D70D9E0A8A611FA068962A91ABCE8679EFF9517B5791F53FC6CC8177623168AA048F0CE4EA08F512BB35D06A545684C359960A93E747ED2151392C6
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1E..u$.Pu$.Pu$.P.R9P_$.P.R.Pe$.P.R8P.$.P|\.Px$.Pu$.P.$.P.R=Ps$.P.R9Pt$.P.R.Pt$.P.R.Pt$.PRichu$.P........................PE..L....p.W.........."..........,.......[............@..........................p.......\....@...... ...................................@...............(.......P.......................................8..@...............p............................text............................... ..`.data..../..........................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\VSTOLoader_dll_x86.3643236F_FC70_11D3_A536_0090278A1BB8

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):269976
                                                                                                                        Entropy (8bit):6.567677657314867
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:21eDj0BzYzr0RmPWmTmlOOpBifrBrWcsvcKVu+Yi06wJCMasfELOnrIpR:KuzsmPWIzqIrBaN0g0pDasf5sR
                                                                                                                        MD5:50839B40D8C699A8F1A55476DFFC4CF0
                                                                                                                        SHA1:CE5AA47C2CE433E9A23D2585B477A80EDAC65223
                                                                                                                        SHA-256:F18A02DAE7B4F41A5153DAEEB8DCB9DC1E70F45461F3928150E2A18FE1B36551
                                                                                                                        SHA-512:260D2DEAB64960EEAABEF02F9988CCB625D6E76127B774F5873849173A6D31968F545289504E66364C2FA17713ECF8A2A551942C62B5486727D91470BED12BB4
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......h.uw,..$,..$,..$K..$*..$2..$...$K..$$..$%..$%..$C..$(..$...$-..$C..$*..$C..$!..$C..$ ..$%..$7..$,..$...$K..$...$K..$-..$K..$-..$K..$-..$Rich,..$................PE..L....p.W.........."!.........T......`..............C.........................0............@..........................~...... ...T...............................L4......8...........................8G..@............................................text............................... ..`.data...............................@....rsrc...............................@..@.reloc..L4.......6..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_typelib100_x86.3643236F_FC70_11D3_A536_0090278A1BB8

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):16536
                                                                                                                        Entropy (8bit):6.271151268791958
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:EnPDTS5lI/W03XfVlD6TWLOWWBlOqSya6HIp24uDBks/nGfe4pBjSrdazrr0:EL25c5vVlWWLOWgaCIc3q0GftpBj040
                                                                                                                        MD5:F34E8B905F0FCA3539042BCF7FFAB1AF
                                                                                                                        SHA1:19D5A3BC9369E8ADCA914AFB6E30C2BE11D063F2
                                                                                                                        SHA-256:AF1F4036B731EDA3D58E8227EC07E0FC8AAF2652539CE171C0FFC62BC541054F
                                                                                                                        SHA-512:2B72569600F0696B8422E71DC00E54B339421502C07DE855C3968328006BD6A93E333894A36B92892D1F960FFE35C5E238BAE3D512BC0F9FAD2A955DA20921C2
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ko'-..I~..I~..I~.v.~..I~..H~..I~.v.~..I~.v.~..I~.v.~..I~.\.~..I~.\.~..I~Rich..I~........PE..L....n.W.........."!......................... ...............................P......>.....@.....................................<....0..D............&.......@..........................................@............................................text............................... ..`.data...\.... ......................@....rsrc...D....0......................@..@.reloc..X....@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_typelib90_x86.3643236F_FC70_11D3_A536_0090278A1BB8

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):21656
                                                                                                                        Entropy (8bit):5.877730554831909
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:t0DszONM7PVllM+8TQpeRW/TK+k4mOh5feKGFlIkWMyCGW/BNaCIc3q0GftpBjY:t22CM7dTmTvReTK+PmW5qUCnBbiG
                                                                                                                        MD5:E646A74F93DA594B85FEFFD5AEAC940C
                                                                                                                        SHA1:FD3617BDF6FC69C70488EC66CCE29EA036B7EEE4
                                                                                                                        SHA-256:0AB921161E3E27C37A1954D13204D261C9A725C39D1BD4E6C1D1E1D1F69F7A11
                                                                                                                        SHA-512:91957EE5436F0BD5214F9BF1B8069EE2362E0C16112D997FDBF401726E3C98C9D4F2A1646D5FD46D3EEC518823DDD0DF4DA2ED9702517C96415007364C9AC8B1
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,n..B=..B=..B=...=..B=...=..B=..C=.B=...=..B=...=.B=...=..B=...=..B=...=..B=Rich..B=........................PE..L....n.W.........."!.........*............... ...............................p............@.....................................<....0..P"...........:.......`..........................................@............................................text............................... ..`.data...`.... ......................@....rsrc...P"...0...$..................@..@.reloc..h....`.......8..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\$PatchCache$\Managed\4F46D9DF5FAC32D348A58B347CC81C5A\10.0.60830\vsto_shared_vstoee_x86.3643236F_FC70_11D3_A536_0090278A1BB8

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):117904
                                                                                                                        Entropy (8bit):6.434475273902593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:Fx9/lZOyj4pLhQW0O4l4gRn0IwygakGU9rL0eeJJDbBDSIunQZSG7qkQ:Fx9eymLhnzWZmaHU9rxqDSvnQDLQ
                                                                                                                        MD5:0A2ADBEC46219701B9815FE680FED485
                                                                                                                        SHA1:1FFDAEF156F098EE66195DE5C28F6E1B38DE173E
                                                                                                                        SHA-256:129D565C0A33E830D603B210A97345EE4EE00F6451150D658FB22F08AE9FECBE
                                                                                                                        SHA-512:78553A4C5EF027D37349B557DB08CBF8BD4CCAF7675D5C886F9D56C97B0D4C92CAFB83A440DC69D05369C005D44FFFD960EF890358930A9EBFA1875432D8CE2B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....L...L...La.yL...La.xL...L..QL...Li.yL,..Li.LL...Li.xLN..L..AL...L...Lj..La.}L...La.IL...La.HL...La.OL...LRich...L................PE..L....p.W.........."!.....j...L.....................C................................C;....@..........................".......o..........p............................y..8............................d..@............................................text....i.......j.................. ..`.data................n..............@....rsrc...p...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\44aadb.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Template: Intel;0, Revision Number: {461C455E-DA40-49B3-871B-14308CC7CEFF}, Create Time/Date: Sun Feb 20 07:03:10 2011, Last Saved Time/Date: Sun Feb 20 07:03:10 2011, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 2, Number of Words: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):163840
                                                                                                                        Entropy (8bit):6.375644516596573
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:0oTMYRradauoCcJg95gTdmmYdwYNRTK0+E4mN2E2275V495u:7RWd1odm4mmYdwT1
                                                                                                                        MD5:3FF9ACEA77AFC124BE8454269BB7143F
                                                                                                                        SHA1:8DD6ECAB8576245CD6C8617C24E019325A3B2BDC
                                                                                                                        SHA-256:9ECF3980B29C6AA20067F9F45C64B45AD310A3D83606CD9667895AD35F106E66
                                                                                                                        SHA-512:8D51F692747CFDD59FC839918A34D2B6CBBB510C90DEA83BA936B3F5F39EE4CBD48F6BB7E35ED9E0945BF724D682812532191D91C8F3C2ADB6FF80A8DF89FF7A
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\Windows\Installer\44aadc.msp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Create Time/Date: Wed Jun 29 03:19:52 2011, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 4, Template: Intel;0, Last Saved By: Intel;0, Revision Number: {F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{1F4F1D2A-D9DA-32CF-9909-48485DA06DD5}, Number of Pages: 200, Number of Characters: 153223199
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4028928
                                                                                                                        Entropy (8bit):7.99425811627881
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:98304:lEpd3qZ0G3garI8w8xhB2TU01SHMMV6ZArX:KaZtC8vBy10M4
                                                                                                                        MD5:9843DC93EA948CDDC1F480E53BB80C2F
                                                                                                                        SHA1:D6EC9DB8B8802EC85DD0B793565401B67AD8E5E0
                                                                                                                        SHA-256:7C969FCDA6EF09D2EB7BBBC8D81795EB60C9C69ED835FD16538369AD0A6E0F10
                                                                                                                        SHA-512:79008CFDD8AE1EA27675588E7BA8123D08CE14047E5F167B3B5F6FBCDADEB45515BD72E18E59ABF632ECBFBB42243FBCBEBE4CBE0ED6BA195D0B2CA6D88676F9
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...................>............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\Windows\Installer\44aadf.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Template: Intel;0, Revision Number: {461C455E-DA40-49B3-871B-14308CC7CEFF}, Create Time/Date: Sun Feb 20 07:03:10 2011, Last Saved Time/Date: Sun Feb 20 07:03:10 2011, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 2, Number of Words: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):163840
                                                                                                                        Entropy (8bit):6.375644516596573
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:0oTMYRradauoCcJg95gTdmmYdwYNRTK0+E4mN2E2275V495u:7RWd1odm4mmYdwT1
                                                                                                                        MD5:3FF9ACEA77AFC124BE8454269BB7143F
                                                                                                                        SHA1:8DD6ECAB8576245CD6C8617C24E019325A3B2BDC
                                                                                                                        SHA-256:9ECF3980B29C6AA20067F9F45C64B45AD310A3D83606CD9667895AD35F106E66
                                                                                                                        SHA-512:8D51F692747CFDD59FC839918A34D2B6CBBB510C90DEA83BA936B3F5F39EE4CBD48F6BB7E35ED9E0945BF724D682812532191D91C8F3C2ADB6FF80A8DF89FF7A
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\Windows\Installer\44aae0.msp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Create Time/Date: Wed Jun 29 03:19:52 2011, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 4, Template: Intel;0, Last Saved By: Intel;0, Revision Number: {F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{1F4F1D2A-D9DA-32CF-9909-48485DA06DD5}, Number of Pages: 200, Number of Characters: 153223199
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4028928
                                                                                                                        Entropy (8bit):7.99425811627881
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:98304:lEpd3qZ0G3garI8w8xhB2TU01SHMMV6ZArX:KaZtC8vBy10M4
                                                                                                                        MD5:9843DC93EA948CDDC1F480E53BB80C2F
                                                                                                                        SHA1:D6EC9DB8B8802EC85DD0B793565401B67AD8E5E0
                                                                                                                        SHA-256:7C969FCDA6EF09D2EB7BBBC8D81795EB60C9C69ED835FD16538369AD0A6E0F10
                                                                                                                        SHA-512:79008CFDD8AE1EA27675588E7BA8123D08CE14047E5F167B3B5F6FBCDADEB45515BD72E18E59ABF632ECBFBB42243FBCBEBE4CBE0ED6BA195D0B2CA6D88676F9
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...................>............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\Windows\Installer\44aae1.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x64 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219., Template: x64;0, Revision Number: {80902F2D-E1EF-43CA-B366-74496197E004}, Create Time/Date: Sun Feb 20 06:51:54 2011, Last Saved Time/Date: Sun Feb 20 06:51:54 2011, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 2, Number of Words: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):177664
                                                                                                                        Entropy (8bit):6.308605018559318
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:dOTekSoT5jr0BDKE6wIZzx3U9oTCR7XxA5SNmjWVcqelSxbfU75B79o:MT9SoT5+DzE3Ere5Yi
                                                                                                                        MD5:8F21BC0DC9E66F8E9D94197AE76698B3
                                                                                                                        SHA1:B48A08FDE80F739657B819B94602F861F3FF57A4
                                                                                                                        SHA-256:5763364634BDB2097B6DF6CDE79AC5CCE6069ACECF27254C589E3CABFFE53C2B
                                                                                                                        SHA-512:88FD8870BC0F5DBDD2CB4A6A97CF4B1AB81D7FF77C2B2A4D1F6B34A730D0347A5022ECC8CA5B2E7C5F7C2CBE0486D5046CFAFCB8167E001E1AC5E1797D03278A
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\Windows\Installer\44aae2.msp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x64 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219., Create Time/Date: Wed Jun 29 03:00:42 2011, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 4, Template: x64;0, Last Saved By: x64;0, Revision Number: {1D8E6291-B0D5-35EC-8441-6616F567A0F7}10.0.40219;{1D8E6291-B0D5-35EC-8441-6616F567A0F7}10.0.40219;{5B75F761-BAC8-33BC-A381-464DDDD813A3}, Number of Pages: 200, Number of Characters: 153223199
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4637184
                                                                                                                        Entropy (8bit):7.994962048491895
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:98304:v03YogTE/3ftYrhhHk6K3N04fREXLNaxCSVMZhQ1f:ZgGhRk6KdNfS6vuo1f
                                                                                                                        MD5:905FCC526204DDF1E6650212ABC3D848
                                                                                                                        SHA1:ADED77F45B75D796CC4795263C826C822DF5F0D9
                                                                                                                        SHA-256:4CD45CF57644D49B4C8F96E4A0EFDC46A5BA196FA4F5A10190F790CCC74BB1BF
                                                                                                                        SHA-512:9470FCD540EA542936120782AA31ABECAF5D20CADD13FF82AD346F78F95020958937BEB2BFCF5EA4DE92C978338F5A324E334229C79F8166C66A1465E191BA47
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...................G................................................................................................................................................................................................................................................................................................ ... ...!...!..."..."...#..............................................................................................................................................................$#..L#.................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\Windows\Installer\44aae6.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x64 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219., Template: x64;0, Revision Number: {80902F2D-E1EF-43CA-B366-74496197E004}, Create Time/Date: Sun Feb 20 06:51:54 2011, Last Saved Time/Date: Sun Feb 20 06:51:54 2011, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 2, Number of Words: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):177664
                                                                                                                        Entropy (8bit):6.308605018559318
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:dOTekSoT5jr0BDKE6wIZzx3U9oTCR7XxA5SNmjWVcqelSxbfU75B79o:MT9SoT5+DzE3Ere5Yi
                                                                                                                        MD5:8F21BC0DC9E66F8E9D94197AE76698B3
                                                                                                                        SHA1:B48A08FDE80F739657B819B94602F861F3FF57A4
                                                                                                                        SHA-256:5763364634BDB2097B6DF6CDE79AC5CCE6069ACECF27254C589E3CABFFE53C2B
                                                                                                                        SHA-512:88FD8870BC0F5DBDD2CB4A6A97CF4B1AB81D7FF77C2B2A4D1F6B34A730D0347A5022ECC8CA5B2E7C5F7C2CBE0486D5046CFAFCB8167E001E1AC5E1797D03278A
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\Windows\Installer\44aae7.msp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x64 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219., Create Time/Date: Wed Jun 29 03:00:42 2011, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 4, Template: x64;0, Last Saved By: x64;0, Revision Number: {1D8E6291-B0D5-35EC-8441-6616F567A0F7}10.0.40219;{1D8E6291-B0D5-35EC-8441-6616F567A0F7}10.0.40219;{5B75F761-BAC8-33BC-A381-464DDDD813A3}, Number of Pages: 200, Number of Characters: 153223199
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4637184
                                                                                                                        Entropy (8bit):7.994962048491895
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:98304:v03YogTE/3ftYrhhHk6K3N04fREXLNaxCSVMZhQ1f:ZgGhRk6KdNfS6vuo1f
                                                                                                                        MD5:905FCC526204DDF1E6650212ABC3D848
                                                                                                                        SHA1:ADED77F45B75D796CC4795263C826C822DF5F0D9
                                                                                                                        SHA-256:4CD45CF57644D49B4C8F96E4A0EFDC46A5BA196FA4F5A10190F790CCC74BB1BF
                                                                                                                        SHA-512:9470FCD540EA542936120782AA31ABECAF5D20CADD13FF82AD346F78F95020958937BEB2BFCF5EA4DE92C978338F5A324E334229C79F8166C66A1465E191BA47
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...................G................................................................................................................................................................................................................................................................................................ ... ...!...!..."..."...#..............................................................................................................................................................$#..L#.................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\Windows\Installer\44aae8.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Visual Studio 2010 Tools for Office Runtime (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual Studio 2010 Tools for Office Runtime (x64)., Template: x64;0, Revision Number: {011224A3-6FF2-4548-95B2-8E1F0DCB33F9}, Create Time/Date: Thu Aug 25 05:31:08 2016, Last Saved Time/Date: Thu Aug 25 05:31:08 2016, Number of Pages: 300, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):565248
                                                                                                                        Entropy (8bit):6.203300395032623
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:v0jV7krae+YhOLvd0JYqhwMMDjTUsxKCCDjzsn9v/AlyYFTwSoT5jdSAPLQmlY1Q:vwGfSvd02qhwMMDpUpsh/Ak/7DlYu
                                                                                                                        MD5:CB7DF3525C2FBDB02ADF3CCD4A4C9432
                                                                                                                        SHA1:E070E83A52A4CD6F57E85F6CB3C52BFB82F68429
                                                                                                                        SHA-256:3789F88A27EBD9C8157BC40E8AACD64129EFDF0354F5CDFC7C2212EF37251221
                                                                                                                        SHA-512:69CE2534802802337070EC96CF124488558878B8816C5584B03FB27CC568D7F6FB9001CB576F0E8583DD5578943823D2508CB14741D832DBB0B6F834F359080F
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\44ab1b.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Visual Studio 2010 Tools for Office Runtime (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual Studio 2010 Tools for Office Runtime (x64)., Template: x64;0, Revision Number: {011224A3-6FF2-4548-95B2-8E1F0DCB33F9}, Create Time/Date: Thu Aug 25 05:31:08 2016, Last Saved Time/Date: Thu Aug 25 05:31:08 2016, Number of Pages: 300, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):565248
                                                                                                                        Entropy (8bit):6.203300395032623
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:v0jV7krae+YhOLvd0JYqhwMMDjTUsxKCCDjzsn9v/AlyYFTwSoT5jdSAPLQmlY1Q:vwGfSvd02qhwMMDpUpsh/Ak/7DlYu
                                                                                                                        MD5:CB7DF3525C2FBDB02ADF3CCD4A4C9432
                                                                                                                        SHA1:E070E83A52A4CD6F57E85F6CB3C52BFB82F68429
                                                                                                                        SHA-256:3789F88A27EBD9C8157BC40E8AACD64129EFDF0354F5CDFC7C2212EF37251221
                                                                                                                        SHA-512:69CE2534802802337070EC96CF124488558878B8816C5584B03FB27CC568D7F6FB9001CB576F0E8583DD5578943823D2508CB14741D832DBB0B6F834F359080F
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\44ab1c.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: S&P Capital IQ Pro Office, Author: S&P Global Market Intelligence, Keywords: Installer, Comments: S&P Capital IQ Pro Office, Template: Intel;1033, Revision Number: {A34B3796-9442-4328-875C-4043632CEC59}, Create Time/Date: Thu Apr 4 17:14:30 2024, Last Saved Time/Date: Thu Apr 4 17:14:30 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):177909760
                                                                                                                        Entropy (8bit):7.999378812785999
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:3145728:Gur9MxsBd6qnpx2tnQBcXE/qWxiPBDx9g4j/pIBtPDf8DeDEdbAYo9A:Guqy9n2KCd2ORIBtUKD+AY
                                                                                                                        MD5:8972115A8C22F49F48522ADC11475E1D
                                                                                                                        SHA1:1799375A068C88A55D5703896CD5477FB9D45692
                                                                                                                        SHA-256:B354809355612AB26E579AD665732C76A3A70F6021299F35888836F0E63E88D3
                                                                                                                        SHA-512:3F2D7B4F7634EB8365D185193EF27ABBA9A7E39BC0F05DE6B34BEBD12E4792F9172653B81E0A0DA70BBE4B8FB09A289AA28997105F62A8179025379DF4DB3ACB
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...................+................................................................ ...$...(...,...0...4...8...<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...|..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSI1A47.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):166040
                                                                                                                        Entropy (8bit):6.040302746887662
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:LgN6wMs19DGwTUxlwZRlKCCDjshYsnY0TYaPX/+fgQyVqP/f:LhwMMDjTUsxKCCDjzsn9v/AlyY
                                                                                                                        MD5:93C759811CB34C7C2601A0B6831108A2
                                                                                                                        SHA1:DE1FD2E90EED11521724A4EECFA014792A94F87E
                                                                                                                        SHA-256:3C4DD11F2C6E82D9A2E1388ADBF66856266B2FE114F7C2FEDF59F8E3A664FDCA
                                                                                                                        SHA-512:FAD51970C863C67D8E38A63DD248CA61EAF0CE873A15BFF28D027B2B0C58A64483E7E51C87B0290E42727592225AE22F067491508F3B7CB662FF2254E039F620
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..............>.......?..............>.................$.....:.............................Rich............PE..d...^o.W.........." .....x...........r....................................................@......................................... ...'.......d........7...`.......n..............0................................................................................text....v.......x.................. ..`.rdata..G............|..............@..@.data....;... ......................@....pdata.......`......................@..@.rsrc....7.......8...0..............@..@.reloc...............h..............@..B................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSI1A96.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):166040
                                                                                                                        Entropy (8bit):6.040302746887662
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:LgN6wMs19DGwTUxlwZRlKCCDjshYsnY0TYaPX/+fgQyVqP/f:LhwMMDjTUsxKCCDjzsn9v/AlyY
                                                                                                                        MD5:93C759811CB34C7C2601A0B6831108A2
                                                                                                                        SHA1:DE1FD2E90EED11521724A4EECFA014792A94F87E
                                                                                                                        SHA-256:3C4DD11F2C6E82D9A2E1388ADBF66856266B2FE114F7C2FEDF59F8E3A664FDCA
                                                                                                                        SHA-512:FAD51970C863C67D8E38A63DD248CA61EAF0CE873A15BFF28D027B2B0C58A64483E7E51C87B0290E42727592225AE22F067491508F3B7CB662FF2254E039F620
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..............>.......?..............>.................$.....:.............................Rich............PE..d...^o.W.........." .....x...........r....................................................@......................................... ...'.......d........7...`.......n..............0................................................................................text....v.......x.................. ..`.rdata..G............|..............@..@.data....;... ......................@....pdata.......`......................@..@.rsrc....7.......8...0..............@..@.reloc...............h..............@..B................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSI1E21.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):166040
                                                                                                                        Entropy (8bit):6.040302746887662
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:LgN6wMs19DGwTUxlwZRlKCCDjshYsnY0TYaPX/+fgQyVqP/f:LhwMMDjTUsxKCCDjzsn9v/AlyY
                                                                                                                        MD5:93C759811CB34C7C2601A0B6831108A2
                                                                                                                        SHA1:DE1FD2E90EED11521724A4EECFA014792A94F87E
                                                                                                                        SHA-256:3C4DD11F2C6E82D9A2E1388ADBF66856266B2FE114F7C2FEDF59F8E3A664FDCA
                                                                                                                        SHA-512:FAD51970C863C67D8E38A63DD248CA61EAF0CE873A15BFF28D027B2B0C58A64483E7E51C87B0290E42727592225AE22F067491508F3B7CB662FF2254E039F620
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..............>.......?..............>.................$.....:.............................Rich............PE..d...^o.W.........." .....x...........r....................................................@......................................... ...'.......d........7...`.......n..............0................................................................................text....v.......x.................. ..`.rdata..G............|..............@..@.data....;... ......................@....pdata.......`......................@..@.rsrc....7.......8...0..............@..@.reloc...............h..............@..B................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSI38AF.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):151328
                                                                                                                        Entropy (8bit):6.713520099553101
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:wNrVkQxbjOMDqzFzdw2i2MmawrTAC3E0C/rxHpRm7jNdi:Y6Q1jtEFpw2zMmawrTP7qSjNd
                                                                                                                        MD5:E27A50732FA99B94D161CC8A4E545A4F
                                                                                                                        SHA1:448025A1E066E17CFFE789FB2018B67BC05D9950
                                                                                                                        SHA-256:ADDC84FD035F81F79139FCB13111B01D0E7B3619A89592CBCFD41745EFD2C41A
                                                                                                                        SHA-512:17255C60E6F79924688D1044C79A916F2EA28314A005F41CD3355CCE21ECCE834993AB3977D5A6F50D1F1194763902BC87203BBFE5C2EE536C882B3673E89D69
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P.Tm..:>..:>..:>_.9?..:>_.??..:>_.>?..:>.[>?..:>.[9?..:>.G.>..:>_.;?..:>..;>..:>.[??7.:>{[??..:>{[:?..:>{[.>..:>{[8?..:>Rich..:>................PE..L......f...........!...&.z..........nY..............................................!.....@.........................`....... ...x....P...............&.. )...`..........T...............................@............................................text....y.......z.................. ..`.rdata..............~..............@..@.data....$... ......................@....rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSI390E.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):373447
                                                                                                                        Entropy (8bit):7.009738104060148
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:11sA6fnlk/NIav9eUH0Ni+O6l20vuAqd8uxt7AUhJO:vinQCal0Ni+O6lQnFS
                                                                                                                        MD5:32C7117A6384F187C4470AD9EB5D4ABD
                                                                                                                        SHA1:EDDAD94E3EBD92FE2DA696024733CF491E684099
                                                                                                                        SHA-256:B821EB4482631DE27C433E255C5017800857DCB8BFE59C5EF53F97182BABE36C
                                                                                                                        SHA-512:6D5A399E770F22FF0583040062BC9A71755715978CC09478471401292A28A126BAF6C9A1A05DE33D7A03745B19D07D0137C40FA59A5A5B22C7C1E8990F0B7224
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6m..X>..X>..X>(..>..X>(..>..X>(..>..X>E.[?..X>E.\?..X>E.]?..X>...>..X>..Y>;.X>8.]?..X>8.X?..X>8.>..X>...>..X>8.Z?..X>Rich..X>........PE..L...*..Z...........!.....B...|.......L.......`............................................@..........................{...*......x.......d....................... ....r..T...........................Xr..@............`..l............................text....A.......B.................. ..`.rdata...P...`...R...F..............@..@.data...t...........................@....rsrc...d...........................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSI39AB.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):373447
                                                                                                                        Entropy (8bit):7.009738104060148
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:11sA6fnlk/NIav9eUH0Ni+O6l20vuAqd8uxt7AUhJO:vinQCal0Ni+O6lQnFS
                                                                                                                        MD5:32C7117A6384F187C4470AD9EB5D4ABD
                                                                                                                        SHA1:EDDAD94E3EBD92FE2DA696024733CF491E684099
                                                                                                                        SHA-256:B821EB4482631DE27C433E255C5017800857DCB8BFE59C5EF53F97182BABE36C
                                                                                                                        SHA-512:6D5A399E770F22FF0583040062BC9A71755715978CC09478471401292A28A126BAF6C9A1A05DE33D7A03745B19D07D0137C40FA59A5A5B22C7C1E8990F0B7224
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6m..X>..X>..X>(..>..X>(..>..X>(..>..X>E.[?..X>E.\?..X>E.]?..X>...>..X>..Y>;.X>8.]?..X>8.X?..X>8.>..X>...>..X>8.Z?..X>Rich..X>........PE..L...*..Z...........!.....B...|.......L.......`............................................@..........................{...*......x.......d....................... ....r..T...........................Xr..@............`..l............................text....A.......B.................. ..`.rdata...P...`...R...F..............@..@.data...t...........................@....rsrc...d...........................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSI3A29.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):373447
                                                                                                                        Entropy (8bit):7.009738104060148
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:11sA6fnlk/NIav9eUH0Ni+O6l20vuAqd8uxt7AUhJO:vinQCal0Ni+O6lQnFS
                                                                                                                        MD5:32C7117A6384F187C4470AD9EB5D4ABD
                                                                                                                        SHA1:EDDAD94E3EBD92FE2DA696024733CF491E684099
                                                                                                                        SHA-256:B821EB4482631DE27C433E255C5017800857DCB8BFE59C5EF53F97182BABE36C
                                                                                                                        SHA-512:6D5A399E770F22FF0583040062BC9A71755715978CC09478471401292A28A126BAF6C9A1A05DE33D7A03745B19D07D0137C40FA59A5A5B22C7C1E8990F0B7224
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6m..X>..X>..X>(..>..X>(..>..X>(..>..X>E.[?..X>E.\?..X>E.]?..X>...>..X>..Y>;.X>8.]?..X>8.X?..X>8.>..X>...>..X>8.Z?..X>Rich..X>........PE..L...*..Z...........!.....B...|.......L.......`............................................@..........................{...*......x.......d....................... ....r..T...........................Xr..@............`..l............................text....A.......B.................. ..`.rdata...P...`...R...F..............@..@.data...t...........................@....rsrc...d...........................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSI3B24.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):373447
                                                                                                                        Entropy (8bit):7.009738104060148
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:11sA6fnlk/NIav9eUH0Ni+O6l20vuAqd8uxt7AUhJO:vinQCal0Ni+O6lQnFS
                                                                                                                        MD5:32C7117A6384F187C4470AD9EB5D4ABD
                                                                                                                        SHA1:EDDAD94E3EBD92FE2DA696024733CF491E684099
                                                                                                                        SHA-256:B821EB4482631DE27C433E255C5017800857DCB8BFE59C5EF53F97182BABE36C
                                                                                                                        SHA-512:6D5A399E770F22FF0583040062BC9A71755715978CC09478471401292A28A126BAF6C9A1A05DE33D7A03745B19D07D0137C40FA59A5A5B22C7C1E8990F0B7224
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6m..X>..X>..X>(..>..X>(..>..X>(..>..X>E.[?..X>E.\?..X>E.]?..X>...>..X>..Y>;.X>8.]?..X>8.X?..X>8.>..X>...>..X>8.Z?..X>Rich..X>........PE..L...*..Z...........!.....B...|.......L.......`............................................@..........................{...*......x.......d....................... ....r..T...........................Xr..@............`..l............................text....A.......B.................. ..`.rdata...P...`...R...F..............@..@.data...t...........................@....rsrc...d...........................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSI593.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):81752
                                                                                                                        Entropy (8bit):5.917169251986494
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:6KO1XOpx/8jbc8Atclkr2MLyAWFO9zNnNWxDYgi950:bCXw/8jbJ7kr25ReNnNWxDYgi950
                                                                                                                        MD5:85C03E236D63A5C3DE41B6BCB457EA0C
                                                                                                                        SHA1:90287D811E284A4D056AB2D1FB27603C84CBBD29
                                                                                                                        SHA-256:AEB30AA394D0A057AA919C2DF3ABEE1DFDEC55A3C1765AD906D486B6CE692E50
                                                                                                                        SHA-512:6D918F2320068D0A733626390E256C5DA33747E364A21FF942D91789D46744CC0CD4C09B4E57E81808302B369701B9E8AE9FB42AB3429C33E2B6BF409C6E1412
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V{..V{..V{......V{.V....V{.V...V{.V....V{......V{..Vz.V{......V{......V{......V{......V{.Rich.V{.........................PE..d.....K.........." ................. ..............................................%O....@.....................................................P....p.......`..`....(..X.......d...@................................................................................text............................... ..`.rdata..PJ.......L..................@..@.data....O..........................@....pdata..`....`......................@..@.rsrc........p......................@..@.reloc..>............"..............@..B................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSI6DC.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):85504
                                                                                                                        Entropy (8bit):6.350805739356341
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:aChZ5oVlwKpAQOxQ+/hvFTTMJ0vR2JeLEUTXFTk2y3OI:vhZ5oVlSxLvFTb0JHUTXFT3y3
                                                                                                                        MD5:08895FFBB06B9E35893A77B8D613BC53
                                                                                                                        SHA1:8826FEDA89DC5905D6C327AED3AA839A510B96BE
                                                                                                                        SHA-256:FF95EA08D4EB2A9879C839179B0A0BF223268AFE84430F23582208C814EE19A1
                                                                                                                        SHA-512:FE213B0050B9346B6C7A8583BE988870E7442C64407FBBD98D952653E206037C108780DEA9F0EA9C51346D021935231A774B040ECCCAA6123869E6318517B1B9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a.C...C...C...].R...].&...d~t.J...C......].s...].B...].B...].B...RichC...................PE..L...t.DJ...........!..... ...V.......?.......0......................................;.....@.........................0...]...\%..d....p..........................,...................................P*..@............................................text............ .................. ..`.data...|;...0.......$..............@....rsrc........p.......4..............@..@.reloc...............:..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSI74A.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):85504
                                                                                                                        Entropy (8bit):6.350805739356341
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:aChZ5oVlwKpAQOxQ+/hvFTTMJ0vR2JeLEUTXFTk2y3OI:vhZ5oVlSxLvFTb0JHUTXFT3y3
                                                                                                                        MD5:08895FFBB06B9E35893A77B8D613BC53
                                                                                                                        SHA1:8826FEDA89DC5905D6C327AED3AA839A510B96BE
                                                                                                                        SHA-256:FF95EA08D4EB2A9879C839179B0A0BF223268AFE84430F23582208C814EE19A1
                                                                                                                        SHA-512:FE213B0050B9346B6C7A8583BE988870E7442C64407FBBD98D952653E206037C108780DEA9F0EA9C51346D021935231A774B040ECCCAA6123869E6318517B1B9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a.C...C...C...].R...].&...d~t.J...C......].s...].B...].B...].B...RichC...................PE..L...t.DJ...........!..... ...V.......?.......0......................................;.....@.........................0...]...\%..d....p..........................,...................................P*..@............................................text............ .................. ..`.data...|;...0.......$..............@....rsrc........p.......4..............@..@.reloc...............:..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSI81F2.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                        Category:modified
                                                                                                                        Size (bytes):373447
                                                                                                                        Entropy (8bit):7.009738104060148
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:11sA6fnlk/NIav9eUH0Ni+O6l20vuAqd8uxt7AUhJO:vinQCal0Ni+O6lQnFS
                                                                                                                        MD5:32C7117A6384F187C4470AD9EB5D4ABD
                                                                                                                        SHA1:EDDAD94E3EBD92FE2DA696024733CF491E684099
                                                                                                                        SHA-256:B821EB4482631DE27C433E255C5017800857DCB8BFE59C5EF53F97182BABE36C
                                                                                                                        SHA-512:6D5A399E770F22FF0583040062BC9A71755715978CC09478471401292A28A126BAF6C9A1A05DE33D7A03745B19D07D0137C40FA59A5A5B22C7C1E8990F0B7224
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6m..X>..X>..X>(..>..X>(..>..X>(..>..X>E.[?..X>E.\?..X>E.]?..X>...>..X>..Y>;.X>8.]?..X>8.X?..X>8.>..X>...>..X>8.Z?..X>Rich..X>........PE..L...*..Z...........!.....B...|.......L.......`............................................@..........................{...*......x.......d....................... ....r..T...........................Xr..@............`..l............................text....A.......B.................. ..`.rdata...P...`...R...F..............@..@.data...t...........................@....rsrc...d...........................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSIAF02.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):30775
                                                                                                                        Entropy (8bit):5.98131563057955
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:HLWRW40qy6kJ62TGorsDx6VivpPYUpOls0jM2GxiRn:C6rZUpFLkn
                                                                                                                        MD5:2A73C60540D37C55A7EA308CE880A116
                                                                                                                        SHA1:6A2BF4A7C97463EA79D10A20E302E2D269296FAD
                                                                                                                        SHA-256:DC7541028DE4487BAD783A35639CC3AA20BF02655436A932B3AB477EA9658D1E
                                                                                                                        SHA-512:EFD7D44DD9CC413BFB9FA5839D08A1ECADC6D1E52A98217F506E2ABDBF4BF1FFDD87A89628E7B5E6A55CB09B214ADA44BE52E03BB6F86A6574E5A90DF080BB8D
                                                                                                                        Malicious:false
                                                                                                                        Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5};.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219..vc_red.msi.@.....@.....@.....@........&.{461C455E-DA40-49B3-871B-14308CC7CEFF}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@......10.0.40219...@........ProcessComponents..Updating component registration.....@O....@.....@.]....&.{8453C4E7-26E8-3408-B3A4-5940CA95BC60}@.02:\SOFTWARE\Microsoft\VisualStudio\10.0\VC\VCRedist\x86\Version.@.......@.....@.....@......&.{1414BD84-D9A5-3EE5-AA73-118D7C072370}D.02:\SOFTWARE\Microsoft\DevDiv\vc\Servicing\10.0\red\x86\1033\Install.@.......@.....@.....@......&.{E2F46933-FF4F-46E0-B997-F64D2C6D4FA1}D.c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll.@.......@.....@.....@......&.{529D0A60-398C-38A2-97EF-82FAFA798

                                                                                                                        C:\Windows\Installer\MSIC8E4.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):29231
                                                                                                                        Entropy (8bit):6.0133880622697315
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:AlUIBpsIncooLjUQyhb5cP4IUEUciXXPYQG0p1RSq7fRSjJiZRSGGRSDQYciuq/B:AW6rWiHPY+t6665iBB
                                                                                                                        MD5:6D5CB81CCDD8F30A2CE28EDF6ABCA8AB
                                                                                                                        SHA1:D20262C843583BE2550E726222FEA536A3DD7825
                                                                                                                        SHA-256:3B39EB0C65264E7083E09A0AAA616CBB8978DF6797D2F7E615679AB48B612941
                                                                                                                        SHA-512:6DB482024B5B2ADEF7BADA39C69CA7253536C8E0541871D6A18B34CAA7AB870D7CC85BC93E15A37F9C1CE7E468CBC0388B6FC8285D546086A5A1C5D63A464DFD
                                                                                                                        Malicious:false
                                                                                                                        Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{1D8E6291-B0D5-35EC-8441-6616F567A0F7};.Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219..vc_red.msi.@.....@.....@.....@........&.{80902F2D-E1EF-43CA-B366-74496197E004}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@......10.0.40219...@........ProcessComponents..Updating component registration.....@O....@.....@.]....&.{22CD0840-10D2-3F4C-A702-770C23400822}@.02:\SOFTWARE\Microsoft\VisualStudio\10.0\VC\VCRedist\x64\Version.@.......@.....@.....@......&.{55AB560C-46D5-3298-83A0-AA1217112368}F.02:\SOFTWARE\Microsoft\DevDiv\vc\Servicing\10.0\red\amd64\1033\Install.@.......@.....@.....@......&.{20122449-38BF-4F42-B1E3-C77D4B22DB7C}>.c:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll.@.......@.....@.....@......&.{4EAB55CC-6645-36FE-84E7-0823E5DF6499}

                                                                                                                        C:\Windows\Installer\MSIE6FC.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1272416
                                                                                                                        Entropy (8bit):6.1857000953176104
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:aEKxeseHbf7bfXhwXDpUpQxhwXDpUpQ7hwXDpUpQIhwXDpUpQqhwXDpUpQh:hdHHrhwNUSxhwNUS7hwNUSIhwNUSqhwN
                                                                                                                        MD5:FBCC5157A6D13DA1BB2319F94333E61A
                                                                                                                        SHA1:5BEF961ABFBCFB4DCC4D02D2244C4C82C6418B7A
                                                                                                                        SHA-256:C236CC641C029D4A5C2E2C3C4802DCAD2FDB787D60164C1D5CA8C979DDBB234F
                                                                                                                        SHA-512:4772AF964E09C916558ECE18B3B688141D268CDFEC198D4AF3AF1244947DE4D652E470439859402CD306C6FC60A3120F1E6B30033CC638C922B71F672BA659E0
                                                                                                                        Malicious:false
                                                                                                                        Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{FD9D64F4-CAF5-3D23-845A-B843C78CC1A5};.Microsoft Visual Studio 2010 Tools for Office Runtime (x64)..vstor40_x64.msi.@.....@.....@.....@........&.{011224A3-6FF2-4548-95B2-8E1F0DCB33F9}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual Studio 2010 Tools for Office Runtime (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E2147DCA-DDB4-4245-91B3-ED5EBB2A36E6}=.02:\SOFTWARE\Microsoft\VSTA Runtime Setup\v10.0.60825\Install.@.......@.....@.....@......&.{39A436F1-525F-4D9C-95E5-01D682F0FB25}..<\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0,version="9.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="MSIL",fileVersion="9.0.30729.7079",culture="neutral".@.......@.....@.....@......&.{B25064D6-77BB-4B1B-B4CC-F8EDF50C7B6D}..<\Microsoft.VisualStu

                                                                                                                        C:\Windows\Installer\MSIE789.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):85504
                                                                                                                        Entropy (8bit):6.350805739356341
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:aChZ5oVlwKpAQOxQ+/hvFTTMJ0vR2JeLEUTXFTk2y3OI:vhZ5oVlSxLvFTb0JHUTXFT3y3
                                                                                                                        MD5:08895FFBB06B9E35893A77B8D613BC53
                                                                                                                        SHA1:8826FEDA89DC5905D6C327AED3AA839A510B96BE
                                                                                                                        SHA-256:FF95EA08D4EB2A9879C839179B0A0BF223268AFE84430F23582208C814EE19A1
                                                                                                                        SHA-512:FE213B0050B9346B6C7A8583BE988870E7442C64407FBBD98D952653E206037C108780DEA9F0EA9C51346D021935231A774B040ECCCAA6123869E6318517B1B9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a.C...C...C...].R...].&...d~t.J...C......].s...].B...].B...].B...RichC...................PE..L...t.DJ...........!..... ...V.......?.......0......................................;.....@.........................0...]...\%..d....p..........................,...................................P*..@............................................text............ .................. ..`.data...|;...0.......$..............@....rsrc........p.......4..............@..@.reloc...............:..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\MSIEC1E.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):166040
                                                                                                                        Entropy (8bit):6.040302746887662
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:LgN6wMs19DGwTUxlwZRlKCCDjshYsnY0TYaPX/+fgQyVqP/f:LhwMMDjTUsxKCCDjzsn9v/AlyY
                                                                                                                        MD5:93C759811CB34C7C2601A0B6831108A2
                                                                                                                        SHA1:DE1FD2E90EED11521724A4EECFA014792A94F87E
                                                                                                                        SHA-256:3C4DD11F2C6E82D9A2E1388ADBF66856266B2FE114F7C2FEDF59F8E3A664FDCA
                                                                                                                        SHA-512:FAD51970C863C67D8E38A63DD248CA61EAF0CE873A15BFF28D027B2B0C58A64483E7E51C87B0290E42727592225AE22F067491508F3B7CB662FF2254E039F620
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..............>.......?..............>.................$.....:.............................Rich............PE..d...^o.W.........." .....x...........r....................................................@......................................... ...'.......d........7...`.......n..............0................................................................................text....v.......x.................. ..`.rdata..G............|..............@..@.data....;... ......................@....pdata.......`......................@..@.rsrc....7.......8...0..............@..@.reloc...............h..............@..B................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):20480
                                                                                                                        Entropy (8bit):1.535021625181347
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:JLvptINToy5HeoJegvZxydsHfOmYZFNx:ZxtATF+oUgvZIu2Z
                                                                                                                        MD5:D673EA6767F26B45FDBFA9726DD4B294
                                                                                                                        SHA1:CD0AAC4CFFA266B7710CE87FDB99AFB4AA0F0469
                                                                                                                        SHA-256:2D46E65F539B89702158DEFDFDD19ADCC48EDCAC058A775BDEF71EFC72BEC568
                                                                                                                        SHA-512:21ACFACBAB9F79FD7ED0A9D14DE3E28C4387DF82CCADE0BE77FFAF9A8C64FC10DDBA6933C76309F7A10271DFEE0573DDD0C19314B7FFB0A730EF2001F68C152A
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):20480
                                                                                                                        Entropy (8bit):1.5335706282795787
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:JDptINToy5fD0YUJegvZpD0YtdsHqt+mRZFNx:7tATFf4HUgvZp4Uuqt+aZ
                                                                                                                        MD5:5A5A0DFB2A5C8B3C0F573D0DF34DED8D
                                                                                                                        SHA1:2588253DB0DABD96957A5D0890FF94C731723BF5
                                                                                                                        SHA-256:315EF7B4F954E49EF34CCE40EBB0DE10BED59026D1503DBC1124CFC40A267FDE
                                                                                                                        SHA-512:28346A2400A88359ABC68044B494C43C1579D16193713E53E9858A8E1DEAB89BC64B195E45C470946AC8533D758A1F8CB08320052D25E585D34D40FA1063C93C
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\SourceHash{FD9D64F4-CAF5-3D23-845A-B843C78CC1A5}

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):20480
                                                                                                                        Entropy (8bit):2.4909860035346583
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:88ycipbinacPbwldGzWr7+4H0fyApSYa92Vmmmmmmmmmmmmmmmmmmc99ln:88Dihiaced+Wr7qyApSB9z9
                                                                                                                        MD5:3BCC04DD7992F55391F380062179473A
                                                                                                                        SHA1:758E4A259981C17EBE4F91FC6255B26A9768E456
                                                                                                                        SHA-256:1AEA3BF57F0365FB0A716C19D757CC340DB0B2A10CA80DE1CC2E24AD1A471F88
                                                                                                                        SHA-512:85C26E3A943CE12EA4F460ED81CC6C54FFA6E20A84D24CEF854000745354CCE23A9690B12CED787B87161DCC11ADD5C568A964B7A9608F106316554FDF807FF2
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):49152
                                                                                                                        Entropy (8bit):1.208887092856817
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:y9fFTo8D7CfiiTWxcf4s1nhJf4oSf4myJ0SsuRbjcuwf4scoE:MfFUIriFxPfSlyxsduwg
                                                                                                                        MD5:999638E95705D6E442C87A70C34DC756
                                                                                                                        SHA1:AD66AACDCA995F0FC187856B94B9160B2A5110D5
                                                                                                                        SHA-256:8CAFE1E60EAF208D31264B9A509233CD7A1652B2CBD79063009FF1D7C006F27E
                                                                                                                        SHA-512:1638C549C3C54D97DB92290C1319FAE973979E5128E7C8C0F3A6D0CF28242F3B8ECB5D41B98329378318D87B6DD10EB3BE7C72330EE24B2CF49FA146D4D5A560
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                        Category:modified
                                                                                                                        Size (bytes):433599
                                                                                                                        Entropy (8bit):5.375599732372503
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauD:zTtbmkExhMJCIpEr+
                                                                                                                        MD5:10133A3501A1951FDFA3EB027FD1EDA9
                                                                                                                        SHA1:7F6F2B880121B2CFEFF5AA311A68B0275B7A1F7B
                                                                                                                        SHA-256:CA0A7D8013AB5DAD37C35F20FCEE443F7C2E70793027A4CBDD8792697448334A
                                                                                                                        SHA-512:0F85E6205B801B68E5A9FA70F69B4314E48F5647F97895484F05CCDA334477A8872EC508ADEDA0337476288D636474CFACA86ACEB5DAFDC0F49EE72A7C2D1EBB
                                                                                                                        Malicious:false
                                                                                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                        C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                        Category:modified
                                                                                                                        Size (bytes):418050
                                                                                                                        Entropy (8bit):5.3648171558815365
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:D7scgy1oObkeOmuvCu+iBX7/byobkAmeOeKC0usWyEoyKcK4ka66baI56rCWyzew:vmlm04ITvqRUtF
                                                                                                                        MD5:E26603C89754D730D51029E2228440E7
                                                                                                                        SHA1:06AE4AA73FC059F10A2F2C2578384CAF5AB71EEC
                                                                                                                        SHA-256:F0E69A3C4024228AB85781379BCF370FD6D170475A21E6E7F7E364C4E499AF1E
                                                                                                                        SHA-512:35B5EC074D896C81E4C726DE03BD330313D5FF986A098B8E3727762906D041DA048C80DB1ED9289AB58F8BA540EE48CB26F60CFF36B098C8476389A504F21EC1
                                                                                                                        Malicious:false
                                                                                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:12.473 [1976]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:12.493 [1976]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:12.493 [1976]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:12.493 [1976]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:12.493 [19

                                                                                                                        C:\Windows\SysWOW64\atl100.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):138056
                                                                                                                        Entropy (8bit):6.454858115300033
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:ZEi2/YxBFZNAWH6Gk5BsyGfGM8WzkAFoX:0OFZKWaj5BstfbZx8
                                                                                                                        MD5:C85670AB64068F8080998AEBA6C5019C
                                                                                                                        SHA1:EF762C375486594F6604F39311D32442156AC8BB
                                                                                                                        SHA-256:87D88235F69C062E5B759F91253ABAF7BD055937DD119BD26858237F812D3DED
                                                                                                                        SHA-512:870A27585F72E444FA9A2B46AB53ED420932952BE8A3C4DDD0D831D72BE0AC1B44992CF757DE76D0CD667CD5B6150E9EB96AC2A8E7161A22C7D557946A12E5C6
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&V.&V.&V..V.&V.0.V.&V.0.V..&V..V.&V.'V..&V.0.V.&V.0.V.&V.0.V.&V.0.V.&VRich.&V........PE..L...c..M.........."!.........x......5..............x.........................`......Q.....@.................................T...(........"..............H....0..$....................................@..@...............|...........................text...q........................... ..`.data....0..........................@....rsrc....".......$..................@..@.reloc..8 ...0..."..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\SysWOW64\mfc100.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4397384
                                                                                                                        Entropy (8bit):7.044443988235452
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:WEWsrhmswShHpSvnB5MnhpTnWbWA7ySeAfCt0PfI9jWwg76YAvvU+uFLOAkGkzdz:W6DWbLRojDbvU+uFLOyomFHKnPA25
                                                                                                                        MD5:493FC0F59054A6F4F3775655FB55295C
                                                                                                                        SHA1:2AFE4F5EB626FB5C5AA5BB6C2BC61C88E37CF42F
                                                                                                                        SHA-256:CAC58C98F7E587BA1B2A4F41874764B59BDF6CB684A4A44AEE93F91B3B9A019B
                                                                                                                        SHA-512:9DA41078A65A6B8C731388CCF4CE2A988705305F29F0841039B96CD2649F82E8EA219F082DE184826E39F0EDAA4A1D9AFF2E60EBB8D27771222D0C7CB165598D
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._.1...1...1.......1.......1.......1.'....1.......1.......1.......1.......1...0.H.1.....(.1.......1.......1.......1.Rich..1.................PE..L......M.........."!......*..d......%.%.......+....x..........................C......|C...@...........................*.....<.).......,.H.............C.H.....@....../..................................@...............8.....)......................text.....*.......*................. ..`.data.........+.......*.............@....rsrc...H.....,.......+.............@..@.reloc...a....@..b....?.............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\SysWOW64\mfc100chs.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36176
                                                                                                                        Entropy (8bit):5.5676133503681875
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:/1ndBysNKvsX8WDWAFYbRWktLiBrHuuPgldyevyBbXVLN1jLb6FjXHUZP:/5divsXFEptLkrHyTby9XVL7b6FjXHUV
                                                                                                                        MD5:C086A0AA8C39CB2EA09EA967D433733E
                                                                                                                        SHA1:B5139ED7A2AF76AD71C1ED3625543C0C98256984
                                                                                                                        SHA-256:21688ED8DE2A5C9E95E25E750BD6D8A7BC5446172DAE69AF9DF96FEDA022FC7E
                                                                                                                        SHA-512:EAF03CF10669DD289E108370A6DE7484ACB0F59389ECA6DA907D579767DE919B08A6388E635E06BB3D222DC4D9303F964634A6B8820572E796279063D192E926
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...h..M.........."!.........t....................6]......................................@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\SysWOW64\mfc100cht.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36176
                                                                                                                        Entropy (8bit):5.625769376549212
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:suufpTVI4r67kn4TJVM3i/EhKhb6FjpvkXM:4pTVI4r64noVM3XhK16F5kM
                                                                                                                        MD5:44EE19CB7DD5E5FD95C77FE9364DE004
                                                                                                                        SHA1:9DDE4A75E2344932F4A91D8EF9656203C2B3B655
                                                                                                                        SHA-256:254E83FAD56AA1A1CBA3D5E0FC32509FEE82482F210E238E81F7D8B117A69B8C
                                                                                                                        SHA-512:2C636ABF08D44EEDF452EDF02BF4243E76E14BB95E8A24012787DDFFCCE69C1D7FC4BE98C4B5CD70532FE8420882E1ADE228900C5F36669FDD90FE0383DDE6AF
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...h..M.........."!.........t....................6]................................Lh....@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\SysWOW64\mfc100deu.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):64336
                                                                                                                        Entropy (8bit):4.137941849217605
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:BVPidQr0OWqnn0BDTEPu6V4aGCWRZ+e0petNSaQhp0vcsjsr8gWt8C1dCuf9Z/6W:BVidQr0OWqnnSTEPu6V4aGCWRZX0bhp6
                                                                                                                        MD5:ECA6624EFEBBE2C0C320AC942620C404
                                                                                                                        SHA1:ACBEB473088CAC5887E9D9823A00570A102A8705
                                                                                                                        SHA-256:2BF46F1536CE621801FC621FABBE59F32AD856AA8AE085EB6E4469885C171DA3
                                                                                                                        SHA-512:860E7C994091418177DEDC7D4E935985DE0CEADC4EEBB569D9E38024478DAA78E621B57E722195915183C4E1935EFD98C08E1E4C8CB2E7C47306EBFC097F49AD
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...i..M.........."!..............................6]................................h.....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\SysWOW64\mfc100enu.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):55120
                                                                                                                        Entropy (8bit):4.199600802944499
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:TgIdijcuEhCgysM6B1CLPLNq5f/nWHBNheOU2fd51b6FjpvU:kI0ifysM6B8PLNYf/nWHNTdr6F5U
                                                                                                                        MD5:2A2C442F00B45E01D4C882EEA69A01BC
                                                                                                                        SHA1:85145F0F784D3A4EFA569DEB77B54308A1A21B92
                                                                                                                        SHA-256:D71DB839DE0BC1FCC01A125D57CED2AAEA3F444A992426C316CE18C267C33A8C
                                                                                                                        SHA-512:F18D9019EEE843D707AA307714A15207BE2DED2ECEAB518599FBED8A3826A1A56F815FE75FB37F36C93BE13F3D90E025F790DB6B3BA413BFD5CD040B2CC7DBF7
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...j..M.........."!..............................6]................................;>....@.............................................0...............P............................................................................................rsrc...0...........................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\SysWOW64\mfc100esn.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):63824
                                                                                                                        Entropy (8bit):4.072824469338212
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:mYE0Kv+BU6Hj6rg/PKuCOCF3OKWRElJRZRIvp6b6Fjpv9h:fA+q6Hj68/PKuFm3OKWkRZRIE6F5D
                                                                                                                        MD5:B4E91C857C886C8731F7969D9A85665D
                                                                                                                        SHA1:A639781B1DC2C7BDD855BE37FBB39B55AD5B734A
                                                                                                                        SHA-256:7F3E218C1BF7BB0F00885AFEC8ED60C8EDD48A73622FEB2FCE7CB282AF1BE900
                                                                                                                        SHA-512:FBB841339B216FB677DDF798D004503A1C0C8A60D17EDD502D2A893985CEFBA8B13FEBC594DCAA0ED9DF823FBCED0367D8C1074D7025E6BF6E6D4EC5CD1B2648
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...i..M.........."!..............................6]......................................@.............................................P...............P............................................................................................rsrc...P...........................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\SysWOW64\mfc100fra.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):64336
                                                                                                                        Entropy (8bit):4.117127086980955
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:Xqth26iN6NjZELmcYImN8YxAaTafCp5eFQZmZUjyyyyyyyyyyyyyyyUGQFUbWo2k:eNPqLmcQA2SCHj0jE6FrHUyv
                                                                                                                        MD5:BB21453C6707A7B5DD9F727ED375F284
                                                                                                                        SHA1:56E7A1011221B87AF1B1EA766114161FB5DD4A3A
                                                                                                                        SHA-256:8630D9B71A04BFCAD5ED15C11CBF88F2DE42ABFA458BC66963E6D0D207DC01C8
                                                                                                                        SHA-512:C74BBFCD5C407FA1D8189F1805E12E2261268059C3F4D7EE5D5492811D161906B27E9623BE55649504B2888F3AAE0AD98038F420C1969CB6693328C78EC6B1C8
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...i..M.........."!..............................6].................................8....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\SysWOW64\mfc100ita.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):62288
                                                                                                                        Entropy (8bit):4.096505353321104
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:o6E6XaEYyqbK15M6LigDGxNIlW3gyCQQQjeqS1hDsiiUWTVlb6FjXHUfJ:1aEOs5M6LigSxNIlW37oETD6FrHUfJ
                                                                                                                        MD5:A99884AEAC9C704600C6F5A44B3F7694
                                                                                                                        SHA1:1D65B58014F1ECFFA3E8AFFA4B21AB4466732D9E
                                                                                                                        SHA-256:54C711B8EC19AB39C881BA16AF97DFF6D1CD74C1E2FE6FF50EC51C466015AA6C
                                                                                                                        SHA-512:DD2F6113B0D879C3699C97DB42FBEF03413DFCCAC9772596ACE7FED5850B269AC0ADC94C30439D5C37688E11FF73FFA53409D483BD2F419E16769B0213A5D46C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...i..M.........."!..............................6]................................5V....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\SysWOW64\mfc100jpn.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):43856
                                                                                                                        Entropy (8bit):5.451944344408199
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:8sTbayVn/G0tJxtr10/euKRHIWub6FjpvzA:ZTeyp/Gu/uM06F5zA
                                                                                                                        MD5:76022ED341931C473D2DFB27D56E37FD
                                                                                                                        SHA1:BE2B19CC30093069E61349908153D22383FEDA7F
                                                                                                                        SHA-256:0C7637E3AE7E2C429807194C470A1E7BD98AE02D67D543380367F142CF08173A
                                                                                                                        SHA-512:0C30AC2A2A1BAFB4462142ECAF059800BA262E2F82D82F229F78A0B91018D38ED101ACA29EF01458DEA6F9D34B8FD76940F7C8765FF8FE9D412EE3DBA5419F42
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...j..M.........."!..............................6].................................N....@.............................................X...............P............................................................................................rsrc...X...........................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\SysWOW64\mfc100kor.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):43344
                                                                                                                        Entropy (8bit):5.557482266926806
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:iVz754LQTNl2raHniJNB2I7Cvqpb6FjpvK:Q51TNlfniJv2I7Cvqt6F5K
                                                                                                                        MD5:222BE89E34F4BB9059B7587074C5F88B
                                                                                                                        SHA1:47EBA84CF57011765A16D0D514069C9C86AF16BB
                                                                                                                        SHA-256:0F0E518D6B12111ED847B2F62929799D2754F6F45B21977F8929842A2CEC471E
                                                                                                                        SHA-512:83A3A51870B356DE1330A47A79FF00032155DEBEED8A53B16142FED6A332B9B49E02076991D354F817410BFEB535C9C73AC872402194A822C877B4C9F7B15DB8
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...j..M.........."!..............................6]................................m.....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\SysWOW64\mfc100rus.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60752
                                                                                                                        Entropy (8bit):4.691759145763307
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:TURq/lFXOv10uqN9TMIVhtZ3FckD+Sbb6FjpvimF:pDXOv1IhTVn6F5pF
                                                                                                                        MD5:1655E43D3DBA000394CF208E95EA2B02
                                                                                                                        SHA1:B29FE26CC85F102345619CA514A93E832A294E43
                                                                                                                        SHA-256:B34CAFEB0DDA67F5B271E15B20E94DF4805058A37ADAD5DC3331E11FA612BC42
                                                                                                                        SHA-512:3A040AE2B912DFECFF43C82C148E097563174C0326F8211C56FFA1D82E0C1F26F7829B52EE9D68E0737A8E05457472C800E8AA99EC6883904967B8DD2D5C3B76
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...j..M.........."!..............................6]................................!.....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\SysWOW64\mfc100u.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4422992
                                                                                                                        Entropy (8bit):7.012067538535142
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:veeKejRb6KYYRzl1rYBrAWpTmms3Ctm8oVXK0na6g3QAt1zwoN1R4FLOAkGkzdnr:v8NpL84jN1eFLOyomFHKnPAu
                                                                                                                        MD5:F3DE10AABD5C7A1A186C9966F037D0C0
                                                                                                                        SHA1:6AAAE8331A5377F4025D2D860E5872B842A41DF8
                                                                                                                        SHA-256:BC50848AEEF466DFF4A3D8C386BF0D0EC35B8E5B438031AE885AA5371F2E1A42
                                                                                                                        SHA-512:07D93B8ABBF8ACFAB1D8F0711A37086764000310450BA361E7D5E1369012B3A45FD394460841B0F3CCA79ACEAD2080BBE1F029BC36191C133D7CCEA182CA84E1
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._.r1..r1..r1......r1......r1....r1.'<...r1....r1....r1....r1......r1..r0.^q1...(s1....r1....r1....r1.Rich.r1.................PE..L......M.........."!.....P+..h.......:&......`+..._x..........................C......C...@..........................}*.P....E*......p,.H............fC.P.....@.....`/..............................@N..@....................)*......................text....O+......P+................. ..`.data........`+......T+.............@....rsrc...H....p,.......,.............@..@.reloc..Jc....@..d....@.............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\SysWOW64\mfcm100.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):81744
                                                                                                                        Entropy (8bit):6.142711445980364
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:+oqh1BCXr5esH5YKn7bLQVqTpO9OBXBn6FrHU:+/hvgz5YKn7bLbTpSOBXB6Fo
                                                                                                                        MD5:BE83B709811FBB18DCAA03412DA0BCEB
                                                                                                                        SHA1:F4745BA4108F276CAD6C48F1A1CCF050C2C5D716
                                                                                                                        SHA-256:ECB4ABCE8A92F459B0DA962A629D0BEB66D417A209225FFD321EDA60666D36B1
                                                                                                                        SHA-512:4F04AFE91FD7B38CB98928CD07222FD1BB550EE14B508BB959A2EE35EB2F51CACDAE0572B88C5B4786B2B5DAE8F47C101D13B6D01F8EBFC74540C3DB9D206F73
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l../(.|(.|(.|!.?|*.|6./|*.|3Q |-.|..$|).|3Q"|).|3Q.|$.|!./|,.|(.|..|3Q.|=.|3Q'|).|3Q&|).|3Q!|).|Rich(.|................PE..L...~..M.........."!.....B...8......0O.......`.....x................................d.....@........................../......D)..x....................(..P............b..............................0p..@............`...............b..H............text....@.......B.................. ..`.rdata.......`.......F..............@..@.data....X...@......................@....rsrc...............................@..@.reloc..$............ ..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\SysWOW64\mfcm100u.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):81744
                                                                                                                        Entropy (8bit):6.149338266663653
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:ZIzAkBQS3ilE+38NrtbLQVuH5OBXOa26FrHUK:ZKAkB1ilR38NBbLBH5OB+aLFoK
                                                                                                                        MD5:D23A577EB4829A9F1B1D4EA679E98B54
                                                                                                                        SHA1:CD364F8AE5A64DCE82225A3C9658114A1A905504
                                                                                                                        SHA-256:5104D9B832D6BE34D8FFBFA1EACC1A95E7EF8864E2C3C5720F04D217F8DCCF51
                                                                                                                        SHA-512:2652652D40BDB512756EA572D7F1202225CEDA89584D12725258843523FC65B51B240FFE057F8570B4B0E785BD2D429EE5BCBA782BA30A180BE7CC331C33AD69
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l../(.|(.|(.|!.?|*.|6./|*.|3Q |-.|..$|).|3Q"|).|3Q.|$.|!./|,.|(.|..|3Q.|=.|3Q'|).|3Q&|).|3Q!|).|Rich(.|................PE..L...~..M.........."!.....B...P......0O.......`.....x................................v.....@..........................0.......*..x....................(..P............b..............................@p..@............`...............b..H............text....@.......B.................. ..`.rdata..@....`.......F..............@..@.data....p...@......................@....rsrc...............................@..@.reloc..8............ ..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\SysWOW64\vcomp100.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):51024
                                                                                                                        Entropy (8bit):6.586044901234663
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:mSBwoYlhhX8nAJ1I84lIFIKC4YWVbX+zZkaKpnwh5L2jmPGgHy/gDBb6Fjpvc8P:7LYlL8AJMlIF7phVbeKmLSCS/M6F5c8P
                                                                                                                        MD5:28D2B08D3D33670B0D010ED2BA2AB513
                                                                                                                        SHA1:191EA62082AC776995F22B96CB3B6DFAD953C57E
                                                                                                                        SHA-256:183729409813BA5A8501A581979530BFDDBABE5617DA1588EB8FEFDCFCBA5D7E
                                                                                                                        SHA-512:BAC78A84E74B0A5A5171316CDE802C57B91772336F57C19903CBA139DE2BD48AE7020E9F8CE899175B67CF61F7866A112FE9014C3FBF4A08A3F2AA71D440F291
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.>. .P. .P. .P.;..-.P.;...-.P.)..%.P. .Q...P.;...-.P.;..!.P.;..!.P.;..!.P.Rich .P.........PE..L......M.........."!.................W.............r................................f.....@.........................P.......D...<.......................P.......\.......................................@............................................text.............................. ..`.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\System32\atl100.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):158536
                                                                                                                        Entropy (8bit):6.099308643881142
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:ZVNnO3HuFXpiplXV/aFt8KW3T5VJuefOA3/HuBCE+rm4dMVQF5G:Z/nO3HuF5U/aFt8K4T5e6OA3vLrdMWw
                                                                                                                        MD5:53A3DE22A97A40469FC6AEB54A151A61
                                                                                                                        SHA1:07C34CF6897053F9520B7C7C6899534559DD964A
                                                                                                                        SHA-256:ECE86E8A88DE3A06EBDA73D8945DDA04DF9A94A0C8F949C9C3E1C3D2355CA526
                                                                                                                        SHA-512:390D90AF3708D63346FF2BF33730A5740917DF0F4C4973A7389B49001219568564A7B1E4616716F28BBD503AB6320C70C5B885C6C534B852A5A0945A320FD7BE
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................q9....q...........7..q8....q.....q.....q....Rich..................PE..d.....M.........." ..........................8z.....................................X....@.........................................`...........(....p..."...P..p....T..H............................................................................................text............................... ..`.rdata..1n.......p..................@..@.data...`?..........................@....pdata..p....P......................@..@.rsrc...."...p...$...&..............@..@.reloc..2............J..............@..B................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\System32\mfc100.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):5574984
                                                                                                                        Entropy (8bit):6.602451893010093
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:pmU57QmmbX5g2czWVoFLOAkGkzdnEVomFHKnPAj:pmU57QmWX5gFuoFLOyomFHKnPAj
                                                                                                                        MD5:7595386AFBA54A95AFF3BDD3FA5FFC48
                                                                                                                        SHA1:AC705D856EFDC42EB037BBE07403C441009B1FD0
                                                                                                                        SHA-256:EF2E0DF287AF95855B6B13173259DF847A2CB8A1872BA3D4573E82ABD4FB9699
                                                                                                                        SHA-512:2AF789B574C06D0F2F1444788169E7DFAC70E7886435BCF49E5EAE582F1037D0F21206706C59FD521F9B8CC13C73134AC16044AEEFC0B3CCF638E4128B7070B9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........O.|.../.../.../.V-/.../.V./.../.V!/.../.V*/.../.5/.../D`1/.../../.../../.../.V:/.../.../*-./.7/.../../O/./.2/.../.3/.../.4/.../Rich.../........................PE..d......M.........." ......+...).....$~)........y..............................U......vU...@.........................................p.;......?;...... @.H.....=..7....T.H....0T..[....,...............................................+.x...x.;......................text...l.+.......+................. ..`.rdata...~....+.......+.............@..@.data....w...`<......P<.............@....pdata...7....=..8....=.............@..@.rsrc...H.... @......f?.............@..@.reloc.......0T......hS.............@..B........................................................................................................................................................................................................

                                                                                                                        C:\Windows\System32\mfc100chs.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36176
                                                                                                                        Entropy (8bit):5.567402393895328
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:s1ndBysNKvsX8WDWAFYbRWktLiBrHuuPgldyevyBbXVLN1MLb6FjXHUZP:s5divsXFEptLkrHyTby9XVLQb6FjXHUF
                                                                                                                        MD5:E4E0D9802F5953CEA56E1D8087CD8FFA
                                                                                                                        SHA1:3BEDA00D873DD2B1D1AD52FC11B44C2A3EB4196C
                                                                                                                        SHA-256:7243ED6B185B0B56E21345F98A46DDEE996AAA0B6D6EB6355CF2161BF0CDA800
                                                                                                                        SHA-512:149BB22540F8F5A07904AC74634B63796461C673B362EC1E651DBD02607540BD5B5EC7F7F0A868A1378BFF1EB52FA1DD0CE6F76291810EA87CC6C8684164F8A2
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d...l..M.........." .........t................6]....................................G{....@..............................................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\System32\mfc100cht.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36176
                                                                                                                        Entropy (8bit):5.6249677629573975
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:yuufpTVI4r67kn4TJVM3i/EhKob6FjpvF:epTVI4r64noVM3XhKM6F5F
                                                                                                                        MD5:5E6350F5C5FC70C15D745D08D1FE3470
                                                                                                                        SHA1:93CDF823D6F367A4EA90B428A682B9D865C65428
                                                                                                                        SHA-256:FD16B3DFFDB056663D3C2639D9E48DD2DF5C834713E0FF92738FBFF178DDD8D1
                                                                                                                        SHA-512:D4DD2F9FE49104B4314194B709A440201703EC78DFBABDC42C3A61A0818E19FCE728542FAE6DADB95CAFDBD024BE4A1E0651DDF6ACA62984B5A3A77BF9D9B599
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d...l..M.........." .........t................6].........................................@..............................................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\System32\mfc100deu.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):64336
                                                                                                                        Entropy (8bit):4.138497882073908
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:kVPidQr0OWqnn0BDTEPu6V4aGCWRZ+e0petNSaQhp0vcsjsr8gWt8C1dCuf9j6Fl:kVidQr0OWqnnSTEPu6V4aGCWRZX0bhpd
                                                                                                                        MD5:9D3E70686F38D26F9111920F0A4F2202
                                                                                                                        SHA1:0A6FDF53C5A765D8DFC0749A76C3603C9EB23AF3
                                                                                                                        SHA-256:4C7290366B3F7E5C62EFE63F1440A139E5EAC2AD5CA47D632426BF399D7510BD
                                                                                                                        SHA-512:84114C5051608B6A37FEA26E86280FFA3A6A110BF8B8D85804755F5EF0645DEA4455772FCF30B398572824FD9A7FD74E73BEB167CFB2E24547634A3E81EA611E
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d...m..M.........." ..........................6]....................................Z.....@.............................................................................P............................................................................................rsrc...............................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\System32\mfc100enu.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):55120
                                                                                                                        Entropy (8bit):4.198097244254268
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:lgIdijcuEhCgysM6B1CLPLNq5f/nWHBNheOU2fd5Lb6Fjpv/z:uI0ifysM6B8PLNYf/nWHNTd16F5L
                                                                                                                        MD5:5E2F28A979A0CE9B43F1815A593617C5
                                                                                                                        SHA1:A2414A20FFCFD558A9EF5C10BFD6BE96C91D87EB
                                                                                                                        SHA-256:CE0905A140D0F72775EA5895C01910E4A492F39C2E35EDCE9E9B8886A9821FB1
                                                                                                                        SHA-512:4687AF53512EB29AD72C213CBCD27BFD5454C3791A727A8F35808F5FC74C54F2BDFE3267E708433041ED2ACD65A8FE59A791A83F497DFC0131C45EE1C7693390
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d...m..M.........." ..........................6]....................................Z.....@.............................................................0...............P............................................................................................rsrc...0...........................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\System32\mfc100esn.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):63824
                                                                                                                        Entropy (8bit):4.071553378315362
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:rYE0Kv+BU6Hj6rg/PKuCOCF3OKWRElJRZRIvpYb6FjXHUE:mA+q6Hj68/PKuFm3OKWkRZRIu6FrHUE
                                                                                                                        MD5:998D295EC34C4C9C941023CEBD35DA99
                                                                                                                        SHA1:047DD73D5F65B3BF690033644ABDE4A9D05393A4
                                                                                                                        SHA-256:21EC0A8B0E8EE838F06ADA9749454DE4D9B46120F35FC921F7B3B1FB7DF8EAB1
                                                                                                                        SHA-512:ACE05F624FBFD451E88CEACA27CE1CE43DA6D789186E39562BADC9917BAC8ED8EE92182B04C750D5CD9E75698B8A2687025E13E5C540614A91A97639D7261186
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d...m..M.........." ..........................6]..........................................@.............................................................P...............P............................................................................................rsrc...P...........................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\System32\mfc100fra.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):64336
                                                                                                                        Entropy (8bit):4.116559437691112
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:wqth26iN6NjZELmcYImN8YxAaTafCp5eFQZmZUjyyyyyyyyyyyyyyyUGQFUbWo25:hNPqLmcQA2SCHj0jK6FrHUX
                                                                                                                        MD5:DF163BB07B5B4946D641AAEC38C9D30E
                                                                                                                        SHA1:C398C289EFE5198DC9A167CC1DCB1E79C030C0A8
                                                                                                                        SHA-256:AB46C53BAED60E4B414D1B66B05440247577850E309D8C49C4F6EFF963560B0D
                                                                                                                        SHA-512:D1D46C9E4BE425EA9FA66662D51FA34C0A943AA0B21B42E2B82616061FF1A968C3368EF1E806FF4634A0663F9FF7EE366436CCF0103536162E72DB405F43762C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d...m..M.........." ..........................6]..........................................@.............................................................................P............................................................................................rsrc...............................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\System32\mfc100ita.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):62288
                                                                                                                        Entropy (8bit):4.096848487555631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:J6E6XaEYyqbK15M6LigDGxNIlW3gyCQQQjeqS1hDsiiUWTVRb6Fjpvbu:kaEOs5M6LigSxNIlW37oETD6F5bu
                                                                                                                        MD5:74DF761A1B88C115B122E4CACE0D572F
                                                                                                                        SHA1:FDA99E7A07A0474F3A2E79664FBCFF8478D3165A
                                                                                                                        SHA-256:2A094431718CB5B30138EDC47BB1742583178CA075EAB692C84C30322E02E88C
                                                                                                                        SHA-512:17164A5F170AB3C0F85A8461AFF9270695B3716835EAC650BA1A909633D891272EEC8A4C83712026AA5FAA3BF7BA9D947DC936E386D776AC5FFCFD10CF8C8D5B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d...m..M.........." ..........................6]..........................................@.............................................................................P............................................................................................rsrc...............................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\System32\mfc100jpn.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):43856
                                                                                                                        Entropy (8bit):5.450515263694396
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:asTbayVn/G0tJxtr10/euKRHIW/b6FjXHUt:zTeyp/Gu/uM96FrHUt
                                                                                                                        MD5:D349E4F73637B2D93F4E539F1B688FBA
                                                                                                                        SHA1:CFBD02463CC55DBE303991E36C4A971156EBC127
                                                                                                                        SHA-256:7F5D9D16F21362D9F76A9C5DFE2EC7CC844339D0FDBB6E895D6B466FD2014882
                                                                                                                        SHA-512:192EC438A16CAA3A6BA07A035373BF6F13DEAA9027661080AB4488018EA5D85F79AAC5D725E6575A5993C2DBB71344234A87294F79522E4F36BA25130DB198E9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d...m..M.........." ..........................6].........................................@.............................................................X...............P............................................................................................rsrc...X...........................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\System32\mfc100kor.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):43344
                                                                                                                        Entropy (8bit):5.555801057350179
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:sVz754LQTNl2raHniJNB2I7Cvqsb6Fjpv/j:K51TNlfniJv2I7CvqI6F5/j
                                                                                                                        MD5:7DE94FC198911821D00D19F1DF0B13A8
                                                                                                                        SHA1:13FADBDF4AA8A235FB143C610A20DBD977BA637A
                                                                                                                        SHA-256:CE9FD8D107522C4FACD911B3D129D377B9D53855DA92829EE12B81D3897143D3
                                                                                                                        SHA-512:E55C1CD8DD17059B5675D1501501073C34C1CEB9DD16103471992103284C7B1B5C526CFF4F4767E0BE75CD4D9A82B1213E324EB6C0E460F92AA8E686317230D5
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d...m..M.........." ..........................6]....................................p.....@.............................................................................P............................................................................................rsrc...............................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\System32\mfc100rus.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):60752
                                                                                                                        Entropy (8bit):4.688466748669338
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:jURq/lFXOv10uqN9TMIVhtZ3FckD+Sub6FjpvT:5DXOv1IhTVi6F5T
                                                                                                                        MD5:2A3690BB6F39EA0764083C16D3106279
                                                                                                                        SHA1:0844D3A781DA0EC802D21C1985BB9B6C0A3524CE
                                                                                                                        SHA-256:AF94F081DE3CD96BE6FB04DFE69AE54124813B61DC994051B1AB6118AEE55393
                                                                                                                        SHA-512:AC6DBAB8169C97B520A54DC5D3A28573C78ED3A3647F2F2F05B7896A11EAAEE20A21E95276EED26778FCE7A4D64C578546478850902CAC692E819B15A44B696F
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..d...m..M.........." ..........................6]....................................z.....@.............................................................................P............................................................................................rsrc...............................@..@....................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                        C:\Windows\System32\mfc100u.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):5601616
                                                                                                                        Entropy (8bit):6.579237650610741
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:H0g27TTwiMfeEA5KFLOAkGkzdnEVomFHKnPA:H0g2H8kEHFLOyomFHKnPA
                                                                                                                        MD5:85ED13922DF97474AF9979CA456C6748
                                                                                                                        SHA1:D79CDD200B6543E06D18ED67E44C7BBA50DE7D85
                                                                                                                        SHA-256:4C33D4179FFF5D7AA7E046E878CD80C0146B0B134AE0092CE7547607ABC76A49
                                                                                                                        SHA-512:DCF9BB66A621D49D036F418337C2C454C3A3212C3D008C2DFE764B374FFAED1CE7EA3C6FB30F0C30A64AE3B901146FE474427E9BF4931E01E1A5CB5DCF2B5033
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........o.d...7...7...7.v-7...7.v.7...7.v!7...7.v*7...7.57...7D@17...7..7...7..7...7.v:7...7...7<..7.77...7..7O..7.27...7.37...7.47...7Rich...7........................PE..d......M.........." ......+...*.....T.)........y.............................0V......nV...@...........................................;.`.....;.......@.H....@>..:...bU.P.....T.0]....,...............................................+......{;......................text...D.+.......+................. ..`.rdata........+.......+.............@..@.data....y....<.......<.............@....pdata...:...@>..<....=.............@..@.rsrc...H.....@.......?.............@..@.reloc.......T.......S.............@..B........................................................................................................................................................................................................

                                                                                                                        C:\Windows\System32\mfcm100.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):93008
                                                                                                                        Entropy (8bit):5.865195279175132
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:2zvnax/md7ztOtoFsDQujnLSVepbOlT0Q6FrHU:4vseRztOiF6QujnLdpbOlT09Fo
                                                                                                                        MD5:0ABD7066FD6C679996544FC6B1C9C900
                                                                                                                        SHA1:0F25DC20B014E96163536E9B4A154503B011D9AE
                                                                                                                        SHA-256:A7EE3365ED136DE6A1118A482E29D27CB22A1FB7E6480B43576D97F7C206521A
                                                                                                                        SHA-512:93915EA7166BFBA65D0F009930DF052218F9330E2BD2F5703F94CF3A686780D72B60DCBB4C83E8D9BBDB97CF8F12EF6396A94FC5AEA03217023BF86DEF5F4A59
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,...ho|.ho|.ho|.a...jo|.v=.jo|.s..mo|..!.io|.s..oo|.a..lo|.ho}..o|.s..}o|.s..io|.s..io|.s..io|.Richho|.........PE..d......M.........." .....H...j.......M........4z....................................qD....@..........................................c.......\..x...............8....T..P............t...............................................p...............t..H............text....@.......B.................. ..`.nep.... ....`.......F.............. ..`.rdata.._....p.......L..............@..@.data....i...p.......B..............@....pdata..8............J..............@..@.rsrc................L..............@..@.reloc..L............P..............@..B................................................................................................................................................................................................................

                                                                                                                        C:\Windows\System32\mfcm100u.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):93008
                                                                                                                        Entropy (8bit):5.8720901944163515
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:+sOnzFYw4a7i58f0r+GJrnLSV/fwOliEbJ6FrHU3:zOnCVa77fU+G1nLGfwOliEbEFo3
                                                                                                                        MD5:2AD5E2D97BD3E07E269966CA53536606
                                                                                                                        SHA1:0559C47D1370B2574109F087D4CF4B5FF6F44F05
                                                                                                                        SHA-256:CD133448EFCE4FB3AB517A78D8138455FBD90ED02E8748C63D10C381AD89276E
                                                                                                                        SHA-512:59AB40AA814AC909A3DF0B09C02F75A34E997A91FB6B83FEE290204E66265B68609950A6240EACC8382B55CC1A5B5F8E57F6433A9CDDFA4CF538F9068A31A3E1
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,...ho|.ho|.ho|.a...jo|.v=.jo|.s..mo|..!.io|.s..oo|.a..lo|.ho}..o|.s..}o|.s..io|.s..io|.s..io|.Richho|.........PE..d......M.........." .....H...........M........6z.............................0.......R....@.........................................@d.......\..x...............8....T..P.... .......t...............................................p...............t..H............text....@.......B.................. ..`.nep.... ....`.......F.............. ..`.rdata.......p.......L..............@..@.data........p.......B..............@....pdata..8............J..............@..@.rsrc................L..............@..@.reloc..`.... .......P..............@..B................................................................................................................................................................................................................

                                                                                                                        C:\Windows\System32\msvcp100.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):608080
                                                                                                                        Entropy (8bit):6.297676823354886
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:koBFUsQ1H5FH3YUTd/df0RA7XkNvEKZm+aWodEEiblHN/:dFUsQ1H5FHdGKkNvEKZm+aWodEEcHN/
                                                                                                                        MD5:D029339C0F59CF662094EDDF8C42B2B5
                                                                                                                        SHA1:A0B6DE44255CE7BFADE9A5B559DD04F2972BFDC8
                                                                                                                        SHA-256:934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C
                                                                                                                        SHA-512:021D9AF52E68CB7A3B0042D9ED6C9418552EE16DF966F9CCEDD458567C47D70471CB8851A69D3982D64571369664FAEEAE3BE90E2E88A909005B9CDB73679C82
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..-`..~`..~`..~i.4~b..~{.;~c..~`..~...~..?~a..~{.9~a..~{..~P..~{..~Y..~{..~e..~{.<~a..~{.=~a..~{.:~a..~Rich`..~........................PE..d.....M.........." .........f.......q........cy..........................................@.............................................m......<....P...........=...0..P....`.......................................................................................text............................... ..`.rdata..-...........................@..@.data...0L.......8..................@....pdata...=.......>..................@..@.rsrc........P......................@..@.reloc..R....`......................@..B........................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\System32\msvcr100.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):829264
                                                                                                                        Entropy (8bit):6.553848816796836
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:QgzGPEett9Mw9HfBCddjMb2NQVmTW75JfmyyKWeHQGoko+1:HzJetPMw9HfBCrMb2Kc6dmyyKWewGzB1
                                                                                                                        MD5:366FD6F3A451351B5DF2D7C4ECF4C73A
                                                                                                                        SHA1:50DB750522B9630757F91B53DF377FD4ED4E2D66
                                                                                                                        SHA-256:AE3CB6C6AFBA9A4AA5C85F66023C35338CA579B30326DD02918F9D55259503D5
                                                                                                                        SHA-512:2DE764772B68A85204B7435C87E9409D753C2196CF5B2F46E7796C99A33943E167F62A92E8753EAA184CD81FB14361E83228EB1B474E0C3349ED387EC93E6130
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........pm...>...>...>..>...>...>F..>...>...>...>..>...>..>...>D..>...>...>...>...>...>...>Rich...>........................PE..d......M.........." ..........................sy............................. ......A.....@.........................................pt.......`..(...............pb......P............................................................................................text...F........................... ..`.rdata..............................@..@.data...L}... ...R..................@....pdata..pb.......d...Z..............@..@_CONST..............................@...text.....2... ...4..................@.. data.........`......................@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................

                                                                                                                        C:\Windows\System32\vcomp100.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):57168
                                                                                                                        Entropy (8bit):6.31505190202515
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:XzxgpALeyRrDc5lTNqoZRE0nLSaS/m6F54:XdgbyR/c5XqoP1pS/7F54
                                                                                                                        MD5:28F5F119EEACB872120904945362CA4C
                                                                                                                        SHA1:285D1BF45529296780FDE5DEF4B46BAAAD9B36AA
                                                                                                                        SHA-256:34ABD773C85CE0CAC56BD93C12B00B03A3A695D19F477CE275A64F09984C5492
                                                                                                                        SHA-512:4E619509D1876B62E85FC52AE1CDB99C95F16CC07CB2CD0C3498D8C1D0D6A2E52B5E478E95942050E6C3341346BA57E55151EDB27C7799A82D3FDE5535F0839D
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2=.ZSSPZSSPZSSPA..PPSSPA..P_SSPS+.P_SSPZSRP.SSPA..PWSSPA..P[SSPA..P[SSPA..P[SSPRichZSSP........................PE..d......M.........." .........F......hZ.........r..........................................@.....................................................<.......................P...........0................................................................................text.............................. ..`.rdata...!......."..................@..@.data...d...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..~...........................@..B................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\10250\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\1028\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3560
                                                                                                                        Entropy (8bit):6.211589245812524
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cVT8tOeststhDnkT9C5WNJriuSpN/l/fN3mZS3uNONeN1rZ8vWqPSlTKRKUTKlK2:8TafTk5CgNJGzf8mkE0EFZCmJHQ9
                                                                                                                        MD5:1A41D14ACE8494C97A55FBDDF5C51970
                                                                                                                        SHA1:6B060BED64F764C982A2445F98D3172E18D30354
                                                                                                                        SHA-256:A4FEA39366F239A50AC32B715CCD4327BE584C0A84DFCA7678980A3D9C3D5571
                                                                                                                        SHA-512:C9008B5FDDD9F537B183C970CF6D3DC84CFD0C8CCAD6E5D79C61A84B4D897A3C6C5080BE1FD273CC0B27D92FB760CDAC5636404107CB7089EA530F71632FB04C
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="zh-cn" Language="2052" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ..</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ........ ................................/passive | /quiet - .... UI ....... UI ....... ........ UI ........../norestart - .................... UI.../log log.txt - ................. %TEMP% ....</String>.. <String Id="HelpCloseButton">..(&amp;C)</String>.. <String Id="InstallLicenseLinkText">[WixBundleName] &lt;a href="#"

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\1031\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (371), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4077
                                                                                                                        Entropy (8bit):5.078273827092147
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:7TFZOAlcArP7NuNN8YWZhgcyaqsSPLjqrJ5XQuU:PVGATELc16qrJ5XW
                                                                                                                        MD5:DF1088ADC7CA04D9BCC07937D0A0E263
                                                                                                                        SHA1:3992609413D855FFA280305DDB99563D661309F5
                                                                                                                        SHA-256:6C557265F2E5711F48D98761BFA69BE472415E7A329E5780899DCD771C59E893
                                                                                                                        SHA-512:9C2403C57CDA5F90F26C3ECF8D0D62D7DD5AD23AD5F93E7108ABD57EF5DFEB9DED60D523AED9DB12DEA440AD58E8596E2FE6C8F44E7F9B2449C06E5DD7D8CF53
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="de-de" Language="1031" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Setup von [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installiert, repariert oder deinstalliert.. das Paket oder erstellt eine vollst.ndige lokale Kopie davon im Verzeichnis. Installieren ist der Standardbefehl...../passive | /quiet - zeigt eine minimale Benutzeroberfl.che (UI) ohne Meldungen oder keine UI und.. keine Meldungen an. Standardm..ig werden die UI und alle Meldungen angezeigt...../norestart - unterdr.ckt jeden Versuch eines Neustarts. Standardm..ig wird auf der UI vor dem Neustart eine Meldung angezeigt.../log log.txt . erstellt ein Protokoll in

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\1033\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (354), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3803
                                                                                                                        Entropy (8bit):5.032354520770157
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cyMT8desK19hDUNKwsqq8+JIDxN/WcN3mt7NlN1NVvAdMcgzPDHVXK8KTKjKnSJ7:MTLbTxmOeup/vTAAToUDWhVFG7h
                                                                                                                        MD5:8ABA1FE91408D3306295A8F95EEE7CAE
                                                                                                                        SHA1:FC679ABFCBFFF458D4FE0629B42140A5BE16D3B9
                                                                                                                        SHA-256:BCC31F8B77B46B9E71B1BDA74ED449787D3B324AD4DC3A05489B9639C3EB3009
                                                                                                                        SHA-512:FE4D395B34D759CC6418500078FC76C6A21D4CD9311DAF7A6C7765822607063ECE417C73F1E1B94B9FAF314AF0E8E5A353E501082D720436BE6E2239082D5CA4
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. By default a log file is created in %TEMP%.</String>.. <String Id="HelpCloseButton">&amp;Close</String>.. <String Id="InstallLicenseLinkText">[

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\1041\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4622
                                                                                                                        Entropy (8bit):5.888907467553762
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:rTgwtB8QW2Y6lnOGjiK4fP0/vue+5R1NQ+O4ZsLAT15eH:J88TIjNjQp4gH
                                                                                                                        MD5:EE62602AE6B9D6F76ED48F30CDD6BD3F
                                                                                                                        SHA1:8B3697E8BD716D3865577B8680E04433E847613D
                                                                                                                        SHA-256:A1D9D722EB00973E312EAE8649EF34FCE2697F16F1CB3EE3A0B844B330421FC8
                                                                                                                        SHA-512:FA01C37F2C4873F3982FD83C016D20E1521A7DEA66A0C6904FCA0ABBBE06AC77C4A4D33CED35104543DF91FC26BBF8E1C597C34117FE3E7C0DA538949CA9F7FB
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="ja-jp" Language="1041" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">...............</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory]...................... .........................................................../passive | /quiet..... UI ......................UI ................ ........UI....................../norestart.......

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\1041\thm.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):5822
                                                                                                                        Entropy (8bit):5.177630994039433
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:wHdK+3UzSgz96zYvHKFBiUcjqs81Ef3espO:wHuz8
                                                                                                                        MD5:A35C72008597BF43ED1B25A420BA67C2
                                                                                                                        SHA1:8211BFEB70D703B5E11651D647A29FFA3ED81270
                                                                                                                        SHA-256:CDFF18C3DFA30F559E8A717A33DE369BCDECBC4CD8EF39DADBF4C70772B6561F
                                                                                                                        SHA-512:D79B498281C12F586774071187797563C341CBCC8224A84AE904E658960904E2DF8C710B021B4F35322974E03570E7E3E743E0FC33CE58604A84D2E224BF33DE
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="275" Height="64" ImageFile="..\logo.png" Visible="yes"/>.... <Page Name="Help">.. <Text X="11" Y="80" Width="-11" Height="30" FontId="2" DisablePrefix="yes">#(loc.HelpHeader)</Text>.. <Text X="11" Y="112" Width="-11" Height="-35" FontId="3" DisablePrefix="yes">#(loc.HelpText)</Te

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\1046\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (354), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3848
                                                                                                                        Entropy (8bit):5.124942481420578
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:c9oT8vXes/4ShDv0/TQgsWDj4N/kr/N3msl0N+NWNP4NHhc9skPDXeKKeK9KfKtj:vTUlUze8rlpl2UsaMyN2KJcre
                                                                                                                        MD5:5CEF31FE909B0CB8BFBD714428219784
                                                                                                                        SHA1:931C1FBC1936037A5CB265B3AF8E3D4B86F62237
                                                                                                                        SHA-256:63E0D1B0C2A785938E5F36F820FA27F719F19F7CAF0E5CEB251368B1E3D5F02E
                                                                                                                        SHA-512:D67B89E405441D51DE30260FC349050618DC863EEE9B70304D8601EE0B11311C0DAFB0EA5A42D9AFABAB25CEDF57DC9DDCFA4A9BA06791A0A73625902B39BD91
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="pt-br" Language="1046" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Configura..o [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda para configura..o</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. O padr.o . instalar...../passive | /quiet - exibe UI m.nima sem alerta ou n.o exibe UI nem.. alerta. Por padr.o, a UI e todos os alertas s.o exibidos...../norestart - impede qualquer tentativa de reiniciar. Por padr.o, a UI exibe alerta antes de reiniciar.../log log.txt - registra um arquivo espec.fico. Por padr.o, um arquivo de registro . criado em %TEMP%.</String>.. <String Id="HelpCloseButton">&amp;Fe

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\11274\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\12298\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\13322\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\14346\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\15370\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\16394\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\17418\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\18442\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\19466\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\20490\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\2052\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3560
                                                                                                                        Entropy (8bit):6.211589245812524
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cVT8tOeststhDnkT9C5WNJriuSpN/l/fN3mZS3uNONeN1rZ8vWqPSlTKRKUTKlK2:8TafTk5CgNJGzf8mkE0EFZCmJHQ9
                                                                                                                        MD5:1A41D14ACE8494C97A55FBDDF5C51970
                                                                                                                        SHA1:6B060BED64F764C982A2445F98D3172E18D30354
                                                                                                                        SHA-256:A4FEA39366F239A50AC32B715CCD4327BE584C0A84DFCA7678980A3D9C3D5571
                                                                                                                        SHA-512:C9008B5FDDD9F537B183C970CF6D3DC84CFD0C8CCAD6E5D79C61A84B4D897A3C6C5080BE1FD273CC0B27D92FB760CDAC5636404107CB7089EA530F71632FB04C
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="zh-cn" Language="2052" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ..</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ........ ................................/passive | /quiet - .... UI ....... UI ....... ........ UI ........../norestart - .................... UI.../log log.txt - ................. %TEMP% ....</String>.. <String Id="HelpCloseButton">..(&amp;C)</String>.. <String Id="InstallLicenseLinkText">[WixBundleName] &lt;a href="#"

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\2058\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\3076\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3560
                                                                                                                        Entropy (8bit):6.211589245812524
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cVT8tOeststhDnkT9C5WNJriuSpN/l/fN3mZS3uNONeN1rZ8vWqPSlTKRKUTKlK2:8TafTk5CgNJGzf8mkE0EFZCmJHQ9
                                                                                                                        MD5:1A41D14ACE8494C97A55FBDDF5C51970
                                                                                                                        SHA1:6B060BED64F764C982A2445F98D3172E18D30354
                                                                                                                        SHA-256:A4FEA39366F239A50AC32B715CCD4327BE584C0A84DFCA7678980A3D9C3D5571
                                                                                                                        SHA-512:C9008B5FDDD9F537B183C970CF6D3DC84CFD0C8CCAD6E5D79C61A84B4D897A3C6C5080BE1FD273CC0B27D92FB760CDAC5636404107CB7089EA530F71632FB04C
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="zh-cn" Language="2052" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ..</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ........ ................................/passive | /quiet - .... UI ....... UI ....... ........ UI ........../norestart - .................... UI.../log log.txt - ................. %TEMP% ....</String>.. <String Id="HelpCloseButton">..(&amp;C)</String>.. <String Id="InstallLicenseLinkText">[WixBundleName] &lt;a href="#"

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\4106\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\5130\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\6154\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\7178\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\8202\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\9226\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (403), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4116
                                                                                                                        Entropy (8bit):5.020301733311631
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:BTfNydGeKamCZph9sg6EcdRUu798zI/0qAo:CG8Qd/0qx
                                                                                                                        MD5:3D30E85DFA1AC09539917F39281AFEC1
                                                                                                                        SHA1:B148CF60EA4525D68C02FB2D70E278DA563EDC06
                                                                                                                        SHA-256:A741D086C9D4078C03432F6C55583F5918028A867B0E006E9737978DF94E5919
                                                                                                                        SHA-512:7622EB019A56CCAFFFCB834000B53CBEBA9562065E4FF02EED64913DAF65E4D622D623D136DC56AA0CC83697632044F26D0530E897B99D7D6D25543465924435
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="es-hn" Language="18442" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda para la Instalaci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - Instala, repara, desinstala o..crea una copia local completa del paquete en el directorio. Instalar es la opci.n predeterminada...../passive | /quiet - Muestra una interfaz de usuario m.nima y sin instrucciones o..no muestra la interfaz de usuario ni las instrucciones. La opci.n predeterminada muestra la interfaz de usuario y todas las instrucciones...../norestart - Impide cualquier intento de reiniciar. La interfaz de usuario mostrar. de forma predeterminada un aviso antes de reiniciar.../log log.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\BootstrapperApplicationData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (1032), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):40240
                                                                                                                        Entropy (8bit):3.8054886633767677
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:X0svI+x61h6N/nEGk3639BW4EIxN4+NmQ/NqlbbOmdUSTOb5PH:X0svI+x61h6N/nEGG09B3ZxN4+Nf
                                                                                                                        MD5:B4B2C7360FAEFF41522CEDE49C4B33E9
                                                                                                                        SHA1:AA148E0CA7EF92A0D289B364391ACBAF963CA949
                                                                                                                        SHA-256:43886E128AA95B5BA4068FE80502AEAC778339DA734B25133B855DBEE28E39DC
                                                                                                                        SHA-512:0CD34526BFAAD02DBA8A10821E0CC76329C15E683171E026E531ABC84452F2332744AB57D5FCF029703FE7021166B822E1DDE54712240ED4FD323B7303F77AC2
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".I.n.t.e.r.n.e.t.E.x.p.l.o.r.e.r.V.e.r.s.i.o.n. .&.g.t.;.=. .M.i.n.i.m.u.m.I.n.t.e.r.n.e.t.E.x.p.l.o.r.e.r.V.e.r.s.i.o.n.". .M.e.s.s.a.g.e.=.".#.(.l.o.c...I.n.t.e.r.n.e.t.E.x.p.l.o.r.e.r.R.e.q.u.i.r.e.d.).". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".S.&.a.m.p.;.P. .C.a.p.i.t.a.l. .I.Q. .P.r.o. .O.f.f.i.c.e.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.5.6.a.a.9.7.5.4.-.5.7.a.a.-.4.a.2.6.-.a.1.6.4.-.1.2.0.7.5.d.9.4.e.b.2.e.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.A.7.3.C.E.2.F.3.-.7.8.1.3.-.4.5.5.4.-.8.C.A.B.-.D.5.3.B.1.4.9.7.D.8.3.2.}.". .P.e.r.M.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\bafunctions.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):115200
                                                                                                                        Entropy (8bit):6.5083800934218425
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:AQ2K71sM1vkNv+xum5KuY36mcCgFj+K8wV3K9j8b:AQ26CMC+Qm0B6egRJCjO
                                                                                                                        MD5:73245714C643A0EAB0CDEF257F1A69E3
                                                                                                                        SHA1:7745F703EEC01BC8280FB69CC1E38A7F18993D7F
                                                                                                                        SHA-256:5E3C19623F55D2160967CA1BC8BB23FD17006DC34DDB082277F56019DEB62120
                                                                                                                        SHA-512:0594CDF30BA50702515C751FE281EB03223241DF51E08DEF7EB88596207ACF330E7A5B93A7F453BD9B2E0E90D74C3FAA5A9FC8D3976552A5EEE689B035773C54
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................+.....................................3J.......................................Rich............PE..L......f...........!.....0..........T........@............................................@.........................@...h.......<...............................l...@...p...............................@............@...............................text...N/.......0.................. ..`.rdata...n...@...p...4..............@..@.data...............................@....rsrc...............................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\logo.png

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:PNG image data, 400 x 70, 8-bit/color RGBA, non-interlaced
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32988
                                                                                                                        Entropy (8bit):7.973162959752592
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:iRjXONedB6J9BFhCK1HLbmnFlP1xcoQmzF2AXHWPzIYXNeGy:i5O0D6J9BnCKxbmDP3D4y25eGy
                                                                                                                        MD5:746C38F3B09E6FAFA039363E990AB750
                                                                                                                        SHA1:645BF05B1371060468C66E4ACF824879FE772E1A
                                                                                                                        SHA-256:D77BF860F71F874004C9132395005714794CF8C7084BFC58ADE03771EC1FEE66
                                                                                                                        SHA-512:F9A9C1988E3D01E5056F5AEBC41513AE2100AF3909B185761D855AADD721D786F664E360690002461A116F669171CDD9DAE2DE734F7CBE364A8B2FD5DC543F9D
                                                                                                                        Malicious:false
                                                                                                                        Preview:.PNG........IHDR.......F.......J....sRGB.........gAMA......a...4.IDATx^....eW]'.S[.k.N.Y.7....3.:..b.p.Q.q\p....CTPF......"*... * ....dOX$.@.N:........Nq..^.....:}....^.{..s.....;..;z.h.{wE...E..-Z..DJ.gML.996.:.;6..i.....g.}...;.UW]U.={:..h.E..[&...../..-.+...]9......../.........W\Q.].:?.h.E...OLmy...y.......]5............h.E..C.5 -Z.h.b$...E..-Z....h.E......-Z.X....+...UA.k..\...d\."8..[.t_.w...... .V...ui|...il....E@...E..-....B.y.7.....x.W..N.....wnOG.t[..kG.9th..0.+.p....Mc+.P.1=........cw.L..._.#3.eKZ......._......m..C7~&...........18.*...h.....L.sv:.~5.|...X=Z....3i..t.S.N..~s:....{...i..>5.iU.0..{..O.?...u...~..)EY........OO.....k..F:3G..c.v...|w..7oJGn.9..n...x[.h.b.!..!M..9Ml.8....?.U...s..oyt:.....>.0Ka...5....."z.T..*..|.ij.yi..=1...?.V=.A_)..........Jk...4y..ap"j.'......@.x.w.3...4u...:GAk@Z.h.b.1..@...................1...g#:.....]..~s.Y..;.....O.r.>t.Ui...R}?.Fh.C..6|.Sf..0.......*....>uc...N...q..7^.

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\thm.wxl

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4509
                                                                                                                        Entropy (8bit):5.019310194487883
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:8LuThH+bhBabTxmOeup/vrwWATZgoVOBq9LRO:UbirwBDzO
                                                                                                                        MD5:FC0DB4142556D3F38B0744A12F5F9D3D
                                                                                                                        SHA1:B0595044C4CAC49FE89B982E6AEC9BAFF38460AD
                                                                                                                        SHA-256:8FBEB7F0B546D394D99B49D678D516402E8F54E5DEA590CC91733F502F288019
                                                                                                                        SHA-512:F2F29DB5F3B0E13BC0B1FE738EF90B65D82E5513D0F82EB663C39313C5EDAAB53FDEB4BCC0493374253B2994B927CFD5764F5FEDAFD2E3F570D09893F9B26582
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="InstallHeader">Welcome</String>.. <String Id="InstallMessage">Setup will install [WixBundleName] on your computer. Click install to continue, options to set the install directory or Close to exit.</String>.. <String Id="InstallVersion">Version [WixBundleVersion]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="ExecuteUpgradeRelatedBundleMessage">Previous version</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninsta

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\thm.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):6472
                                                                                                                        Entropy (8bit):5.2470152236657706
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:SfF9OXcXRja6O4z96DY1ZHaFhikGg3znCO88mesP33sw2:SfJaoTE
                                                                                                                        MD5:F2FFDD5BEC2D3D057E68C4DBFCEDC57E
                                                                                                                        SHA1:0F0C7125A543BD73AAB1D82807AF5EF98FCF0C17
                                                                                                                        SHA-256:6D96E1048D409CB12A02F331AE84688848BC31416E49E475565216C514B30485
                                                                                                                        SHA-512:011EEBA0084223987905ED42EC40D24D575BCA9B9D0294C650A538BE35950055877FD3B31CB8B20F047C067B722C9AFB3A28B87C29AEF0F907B0E49A03EF2AB6
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="495" Height="310" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="400" Height="70" ImageFile="logo.png" Visible="yes"/>.... <Page Name="Help">.. <Text X="11" Y="80" Width="-11" Height="30" FontId="2" DisablePrefix="yes">#(loc.HelpHeader)</Text>.. <Text X="11" Y="112" Width="-11" Height="-35" FontId="3" DisablePrefix="yes">#(loc.HelpText)</Text>.. <Button Name="Help

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.ba\wixstdba.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):179200
                                                                                                                        Entropy (8bit):6.528352683227767
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:Pl5bBa/bNK3w4AY6CHGN6XZhuEvY2P9bK6SEPZY/Sq6QY9vJ/SLi9Y+WxhslrN1j:PlPa/bN+w/YhzXZhyQK6zPucy2jblx1j
                                                                                                                        MD5:8CA04519005AD03B4D9E062B97D7F79D
                                                                                                                        SHA1:DF53ED9440D027401D502F3297668009030350A7
                                                                                                                        SHA-256:7B9F919A3D1974FD8FA35AD189EDC8BF287F476BD377E713E616B26864A4B0D3
                                                                                                                        SHA-512:1A29E9E9BD798C892A7CD3CD4FF259195E4A92E26F53E8F1A86C75C5EB8FDDA58CEBA312CD791651FAD5CE04529696195815A4BA5C143AD52A5EA0D7C539BB77
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........Qq.}Qq.}Qq.}..j}Xq.}..h}&q.}..i}Iq.}...|@q.}...|Aq.}...|Kq.}X..}Uq.}X..}Lq.}Qq.}Sp.}...|Hq.}...|Pq.}..d}Pq.}Qq.}Pq.}...|Pq.}RichQq.}........................PE..L......Z...........!......................................................................@....................................................................4.......T...............................@...............\............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):687576
                                                                                                                        Entropy (8bit):7.291079287926429
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:dAjuakTOfDlEU4HWDblFlOTPThN7INKwaNUgMI7QnA5Q:Gu/OfDlEUKWflmTP372KnMLAq
                                                                                                                        MD5:C09651C0422F8BB452B82232A454EEE8
                                                                                                                        SHA1:B7EC43F40CB6F8895DE76D658FC4E8B2ECBB3038
                                                                                                                        SHA-256:DC5F345565AA2CC4DD0B446D96204CB9F7135757795370FD581AB4A9458D8B1D
                                                                                                                        SHA-512:BE99051535C843E67D03E54836331B776D3545D785C5B1085188994D64492DF6B1B392D0957F0AA85BC4C89AF3333CBDBEA3CB20FF2431E21D2FD192D6A45CE7
                                                                                                                        Malicious:true
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z..........................................@..........................`............@..............................................G...........T.. )... ...=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc....G.......H..................@..@.reloc...=... ...>..................@..B................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\PluginManager_1.0.24095.1.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: S&P Capital IQ Pro Plugin Manager, Author: S&P Global Market Intelligence, Keywords: Installer, Comments: S&P Capital IQ Pro Office, Template: Intel;1033, Revision Number: {F16935F8-F23A-4720-BD54-71BE8DB064DA}, Create Time/Date: Thu Apr 4 17:08:44 2024, Last Saved Time/Date: Thu Apr 4 17:08:44 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4820992
                                                                                                                        Entropy (8bit):7.944154231922389
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:98304:bzlHHxYRemOM+Q3+I45LfQQTNTSOz+0uStN6BYRtWljyGqhF:dCerfqaLoQTNGOzmwwBY3WjG
                                                                                                                        MD5:E3DE50D65FFECF14BA4A6BA04A011286
                                                                                                                        SHA1:B8135627D4ABE71BC7D51E4479D4A6DD1B9CF804
                                                                                                                        SHA-256:416F72EA80F4797B44C11C5B87049A29F36B5A0FC505C50E28BD9EC37EB6899F
                                                                                                                        SHA-512:8BFCA3BBC7625EE20A92932BFC02E51E00605DFF1CDA2D8DBC37303FCE457D5A5C82364E0B0D107098EC9E1A38C5AD36673825F9872AF74EF24B924E0F1265C9
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\PluginManager_1.0.24095.1.msi.R

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8
                                                                                                                        Entropy (8bit):1.061278124459133
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:cn:cn
                                                                                                                        MD5:34494BDF51B170AAC2642B349CD279AC
                                                                                                                        SHA1:B5187E0A2EBA982A99B6E7B98CA5672A424A8F0D
                                                                                                                        SHA-256:BE17E371BFA18DBEF22DCBCD3E73DA0C7D9A993273BEADEC46BE50511240C5AF
                                                                                                                        SHA-512:FED518BFF5EBC7D530B0B74AF67C418C820D0BD7C8A0F51831B4D9DA8BC3955591C27A3EB7D083C059921CA75D476E1CAC4B89988A1A54518B67366084D26224
                                                                                                                        Malicious:false
                                                                                                                        Preview:..I.....

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\SPCapIQProOffice_x86_1.0.24095.1.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: S&P Capital IQ Pro Office, Author: S&P Global Market Intelligence, Keywords: Installer, Comments: S&P Capital IQ Pro Office, Template: Intel;1033, Revision Number: {A34B3796-9442-4328-875C-4043632CEC59}, Create Time/Date: Thu Apr 4 17:14:30 2024, Last Saved Time/Date: Thu Apr 4 17:14:30 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):177909760
                                                                                                                        Entropy (8bit):7.999378812785999
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:3145728:Gur9MxsBd6qnpx2tnQBcXE/qWxiPBDx9g4j/pIBtPDf8DeDEdbAYo9A:Guqy9n2KCd2ORIBtUKD+AY
                                                                                                                        MD5:8972115A8C22F49F48522ADC11475E1D
                                                                                                                        SHA1:1799375A068C88A55D5703896CD5477FB9D45692
                                                                                                                        SHA-256:B354809355612AB26E579AD665732C76A3A70F6021299F35888836F0E63E88D3
                                                                                                                        SHA-512:3F2D7B4F7634EB8365D185193EF27ABBA9A7E39BC0F05DE6B34BEBD12E4792F9172653B81E0A0DA70BBE4B8FB09A289AA28997105F62A8179025379DF4DB3ACB
                                                                                                                        Malicious:true
                                                                                                                        Preview:......................>...................+................................................................ ...$...(...,...0...4...8...<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...|..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\SPCapIQProOffice_x86_1.0.24095.1.msi.R

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8
                                                                                                                        Entropy (8bit):1.5487949406953985
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:PX:/
                                                                                                                        MD5:6F4A9B55D681BA9000A765BFCAF7BBB5
                                                                                                                        SHA1:1D9E47DFBE3985F9EAB955D6D746C1DD49C85299
                                                                                                                        SHA-256:E43F11029AB9C1209939B9232839AEB7FD32426FD75B8339CF918919F23EF524
                                                                                                                        SHA-512:2707B00C73742D4CC3D14AA15185F30459F51E6933C2A17CFFE223A71F818B44F305FA86380E5555E7D2EB96B7E0A00539D268BE69B5B000D4278E8D9E848614
                                                                                                                        Malicious:false
                                                                                                                        Preview:........

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\VSTOR

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):40293040
                                                                                                                        Entropy (8bit):7.9998820441717795
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:786432:VymLquc2wR4K1zQQZvaq2/mDwTxvb65bksfqN:zqucHdJaqKIOvmZdfa
                                                                                                                        MD5:72F6A267DE1FA813073DED67D952FD40
                                                                                                                        SHA1:56704865939C2388913D05724632D7B3B67D3CD9
                                                                                                                        SHA-256:729E347DF0D99C3D40ED2AC5026F2D629FA001B4C13BE57B56E96591EC0116BC
                                                                                                                        SHA-512:C0389ABE583F4D86B0E8BB518684095AF08DE595E7DFAB440180786DEF223DEA78E98C809FFCEF6B6457C9F07EEFB735FC595192C7C37DFD31B2F67D4E9CF33F
                                                                                                                        Malicious:true
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................f.......... ....................................................f..>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............f.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\VSTOR.R

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8
                                                                                                                        Entropy (8bit):2.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:Dtn:h
                                                                                                                        MD5:3889E7A2F2A537DD3C936319C968EAF6
                                                                                                                        SHA1:A5D2616674EA5E1DEA8A454CB1255D955520EFA3
                                                                                                                        SHA-256:CE02EB7AAF65C68F6291D439C054F0948F193F8B435BB477E763232FEC03AD3E
                                                                                                                        SHA-512:FF8D45F12176C077DCFD3164A217C14B54373A7C703E9593C0D9764841B6084B8100ACE44F531D0B9ED8A68730C8C02EB9DB74688894EFEB8E14B9BADA2F73D2
                                                                                                                        Malicious:false
                                                                                                                        Preview:..f.....

                                                                                                                        C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):687576
                                                                                                                        Entropy (8bit):7.291079287926429
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12288:dAjuakTOfDlEU4HWDblFlOTPThN7INKwaNUgMI7QnA5Q:Gu/OfDlEUKWflmTP372KnMLAq
                                                                                                                        MD5:C09651C0422F8BB452B82232A454EEE8
                                                                                                                        SHA1:B7EC43F40CB6F8895DE76D658FC4E8B2ECBB3038
                                                                                                                        SHA-256:DC5F345565AA2CC4DD0B446D96204CB9F7135757795370FD581AB4A9458D8B1D
                                                                                                                        SHA-512:BE99051535C843E67D03E54836331B776D3545D785C5B1085188994D64492DF6B1B392D0957F0AA85BC4C89AF3333CBDBEA3CB20FF2431E21D2FD192D6A45CE7
                                                                                                                        Malicious:true
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z..........................................@..........................`............@..............................................G...........T.. )... ...=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc....G.......H..................@..@.reloc...=... ...>..................@..B................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF0623151DB98B1A65.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):73728
                                                                                                                        Entropy (8bit):0.19490316029188162
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:6bZfeSb6QqyOMhSbedCaSyedCw1S3VafPT7AZDP:GZqQqaWna/nw1S3cXT7AZDP
                                                                                                                        MD5:B2FCA9A1CA3717B4DD79B5F2A80F6A69
                                                                                                                        SHA1:A8B2DE7FFEA224AF0934A99187F74E49C5837F11
                                                                                                                        SHA-256:532BCA7E8F51D3E4A88523083DC0EC5E36EEE2ECAFFCF239A1E06761D8FAAF4F
                                                                                                                        SHA-512:56BABAFECDA17A8268AFB8BA93B96D5AAFDF90EE924D66A6C281EBBECFBFC4375AD70CD5617452115347917CE01E310354CE184DA706ED34BEBC2C966D8E8CD8
                                                                                                                        Malicious:false
                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF0971AD742B5990DD.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):20480
                                                                                                                        Entropy (8bit):1.7252612709362465
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:d8PhvuRc06WXJYnT56Hyr9ySyedCw1S3VafPTDSbedCcb6QqyOMdZfe4:Ahv17nTUHyr9y/nw1S3cXTDWnLQqgZ
                                                                                                                        MD5:62801F68361159D48C73ED577C09AB08
                                                                                                                        SHA1:57521D542FB3B9D2455804D1287472BB2335132D
                                                                                                                        SHA-256:8EE36998858A42CA43FE817E6ACC0808AE142962DA15E778C2FB7719053C8D5E
                                                                                                                        SHA-512:DD80CCAC51E0A70C641EE60DAE5D260E06836AA1772E68FFA9098E5FF653F500ADE08A137E62D99936FAF88B24CC5243A8380AACA4B3370D985439C0A179FC4F
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF0FBC9CBEA2ED8E26.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF18C68E064AA4DFA2.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):73728
                                                                                                                        Entropy (8bit):0.1932139167510094
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:8ZbeSbjqyOIhSbedzaSyedz7aDl6PTiAlBV:8ZPqmW+a/+uDlKTiAlBV
                                                                                                                        MD5:C806D5E0B7230F29F235A5F1E253B193
                                                                                                                        SHA1:6AE73597C40CBE16B4C5AEB952407A7783AA8BB1
                                                                                                                        SHA-256:339FB01F4ECADBDD71D83EE717757CE66D5D431519C441E52B7160B0BF5BDA8F
                                                                                                                        SHA-512:3915C709E93ACF2FEEAFC043157B216D20FF2D497177D1FA09C056DC760ECB9681FEB8B670E5D6ACA3396A0048B6087225A9D0E32C32F29F5241D69C77C77159
                                                                                                                        Malicious:false
                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF229B3A3A600BE541.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF2948B0F8F59BE33A.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF33FB9A75E62CDE51.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32768
                                                                                                                        Entropy (8bit):1.3657206289989499
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:e7OukXprM+CFXJ/T58D4sHlVNSyedz7aDl6PTjSbedzcbjqyOIdZbe:cOZEXTmcsHlVN/+uDlKTjW+0q8Z
                                                                                                                        MD5:1D5F1CF0F6CC3DD18CC73A07FD631CC4
                                                                                                                        SHA1:CFEE2F9CC43D02D40C636CE4053873FA6EC6E4C3
                                                                                                                        SHA-256:BADEF4EB84673A4A6BBD023473E19AC23D2626F024C2680709D4087F83BC0CA4
                                                                                                                        SHA-512:BAB50B8EF290E811327A104D8C060DA01F0949CFD11B4CDBD9E25A6D0255AB85D1D0C91C292A46B291B34D1C8B07E4A3330112A9CA038AD9531C44C3CBA0F187
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF3FD553643267037B.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):49152
                                                                                                                        Entropy (8bit):1.2494559615919172
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:alwLT3DaFQl8FOluoWuwq8m2uoWuUHcZ7W:cwLzWFK8FOxbi9lW
                                                                                                                        MD5:5CB76699E55E1C56D47F04CEC8BF85C1
                                                                                                                        SHA1:449D89AB1E8F1A9F652B43B8DF085F4C17CBCFED
                                                                                                                        SHA-256:EE1AFFC1BD877CA31EA5D6E3A84B698D755E623F13DA74507F0947045D5BF2F4
                                                                                                                        SHA-512:7A577004BB930F31BDCB51D2AF97E6954FEBF4405CCD9FAE50600458B81A5CFCCA2D71D01F95AC09C6F42D362EE365B8CB10045DF2A3C884851707990732BC3E
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF4C0AEF06C3C95FB4.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF4E00D53B4D435B52.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32768
                                                                                                                        Entropy (8bit):1.3657206289989499
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:e7OukXprM+CFXJ/T58D4sHlVNSyedz7aDl6PTjSbedzcbjqyOIdZbe:cOZEXTmcsHlVN/+uDlKTjW+0q8Z
                                                                                                                        MD5:1D5F1CF0F6CC3DD18CC73A07FD631CC4
                                                                                                                        SHA1:CFEE2F9CC43D02D40C636CE4053873FA6EC6E4C3
                                                                                                                        SHA-256:BADEF4EB84673A4A6BBD023473E19AC23D2626F024C2680709D4087F83BC0CA4
                                                                                                                        SHA-512:BAB50B8EF290E811327A104D8C060DA01F0949CFD11B4CDBD9E25A6D0255AB85D1D0C91C292A46B291B34D1C8B07E4A3330112A9CA038AD9531C44C3CBA0F187
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF53CFB11792DCCD7B.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):20480
                                                                                                                        Entropy (8bit):1.7197330557086379
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:d8PhGuRc06WXJYnT5qsHlVNSyedz7aDl6PTjSbedzcbjqyOIdZbe:AhG17nTEsHlVN/+uDlKTjW+0q8Z
                                                                                                                        MD5:5DEF5FFC091650AD50620B8037018D27
                                                                                                                        SHA1:10644BAF8A7F710500985AFE8B7277284D096F35
                                                                                                                        SHA-256:823FF15ECA000FFD9D3B0EB4F623BF72FE57C78A5FA9DA926F8115B486782D2D
                                                                                                                        SHA-512:8DD89050241868BA5E5446CDAC965EB4FEBFA9ED8CB6EBB5C9EBCD076247EEC12F070BB35F860820F68696182D1C4B9F3913F00C18E47BA40626112463DBFEED
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF54EE70578BB0F5E1.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF58530437BDA3CB1B.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32768
                                                                                                                        Entropy (8bit):1.3688188162267472
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:1U3uDM+CFXJ/T5wqHyr9ySyedCw1S3VafPTDSbedCcb6QqyOMdZfe4:63lXTRHyr9y/nw1S3cXTDWnLQqgZ
                                                                                                                        MD5:52CE84801C5F74587A9B8B767F1E7BB0
                                                                                                                        SHA1:2046B7CA650B1B356EE3A539128674313559D9DC
                                                                                                                        SHA-256:FF1BCD88953473699F6AEBF05EC9EB0CAA1A96E216968ABEBE8CFBB88EBA8DB6
                                                                                                                        SHA-512:F15C1B4E46DD85E1A2B2CE124D88A876355DB55AA37FA7C9CCABB55045D6C6C920727238D9E8F913FBEE34530225A9D6C5D6DFF3ED7E9CA649DBAFC63D5A4FA4
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF5DCFA47617C94D5D.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):20480
                                                                                                                        Entropy (8bit):1.7197330557086379
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:d8PhGuRc06WXJYnT5qsHlVNSyedz7aDl6PTjSbedzcbjqyOIdZbe:AhG17nTEsHlVN/+uDlKTjW+0q8Z
                                                                                                                        MD5:5DEF5FFC091650AD50620B8037018D27
                                                                                                                        SHA1:10644BAF8A7F710500985AFE8B7277284D096F35
                                                                                                                        SHA-256:823FF15ECA000FFD9D3B0EB4F623BF72FE57C78A5FA9DA926F8115B486782D2D
                                                                                                                        SHA-512:8DD89050241868BA5E5446CDAC965EB4FEBFA9ED8CB6EBB5C9EBCD076247EEC12F070BB35F860820F68696182D1C4B9F3913F00C18E47BA40626112463DBFEED
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF5FC1209E94469369.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):81920
                                                                                                                        Entropy (8bit):0.28166507266958757
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:ZWsf4scUTWxcf4s1nhJf4oSf4myJ0SsuRbjcuMgcCg:XgUFxPfSlyxsduMr
                                                                                                                        MD5:38C2FA450D57B2B074FCF7F68181BE2D
                                                                                                                        SHA1:4AA2FD00683ECE278491180538B886069A4AF45C
                                                                                                                        SHA-256:C5B1A3FD54571DDE0C7113B52AD7FB09B6F5F1626CD0C443145AE2A5381698B9
                                                                                                                        SHA-512:36BAAF446AAD4D3C4C263DB51A6F4FB3ED58495663FB63BD5AC64B56821EA9EB68AE85387898986D3BC9B4BA0A9C944BDF392870A4A3F605BBE00D1D004FCF5C
                                                                                                                        Malicious:false
                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF62F0FEA124282B2E.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32768
                                                                                                                        Entropy (8bit):0.336685357852263
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12:oBWxx0i8n0itFzDHFs4jyJt7EpPeJMVvh/J0Tp4jypzdIpHMsULz2hesi2qhesiV:vxOF0mlHeoJegvZxydsHfOmY
                                                                                                                        MD5:D86B60CEFAAF12A02FA2C47F488934B9
                                                                                                                        SHA1:DA8231F2B23ABA5D807D11618AFF08646F6EC011
                                                                                                                        SHA-256:B248F87BFEB7A56D610FBCA6B590ED9E1851D0618081BDBE918A29DB970CD375
                                                                                                                        SHA-512:1711BA6967A65D385B9404C1342BE0DB16C32CBCE5CE708D43A11958FE9F916DB28853A6C96DC59F4D52E29D09A1C8F773F6C72FBC37DECFFAD1F75348AB6C96
                                                                                                                        Malicious:false
                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF64444C3E394AEB5B.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF6B3A187B8896C78F.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF72EF7D725A7071C4.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32768
                                                                                                                        Entropy (8bit):1.3688188162267472
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:1U3uDM+CFXJ/T5wqHyr9ySyedCw1S3VafPTDSbedCcb6QqyOMdZfe4:63lXTRHyr9y/nw1S3cXTDWnLQqgZ
                                                                                                                        MD5:52CE84801C5F74587A9B8B767F1E7BB0
                                                                                                                        SHA1:2046B7CA650B1B356EE3A539128674313559D9DC
                                                                                                                        SHA-256:FF1BCD88953473699F6AEBF05EC9EB0CAA1A96E216968ABEBE8CFBB88EBA8DB6
                                                                                                                        SHA-512:F15C1B4E46DD85E1A2B2CE124D88A876355DB55AA37FA7C9CCABB55045D6C6C920727238D9E8F913FBEE34530225A9D6C5D6DFF3ED7E9CA649DBAFC63D5A4FA4
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF839967FFD6304E46.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF8CA69835740B91E7.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF9088AA951A1F1D81.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):24576
                                                                                                                        Entropy (8bit):1.9154320419881963
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:Jhd1/nT0FQl8FOluoWuwq8m2uoWuUHcZ7W:x1f4FK8FOxbi9lW
                                                                                                                        MD5:C7621976C6FC6357708B1495B083322B
                                                                                                                        SHA1:3821D6CC9F9680AF833323F880EF99696D43C2DC
                                                                                                                        SHA-256:B8FA47D261E5E346999545A52C372A40C87333D013380B6EC9E02C3AD6426BE0
                                                                                                                        SHA-512:A7D2AE46EFBF9FCF7E8E7EC4E8C9818D32840A279BF7B6CBA5DBEAEF00223FEC1E6FB8091DFBE8364FD669DA37CC17A811EEE9FE244691B7A908F1D468E26DEF
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF944C457B91834880.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DF95F18BE92C9FA377.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32768
                                                                                                                        Entropy (8bit):1.0420189546741583
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:t9lnsaYipbinacPbwldGzWr7+4H0fyApSYa92Vmmmmmmmmmmmmmmmmmm:tsaYihiaced+Wr7qyApSB9
                                                                                                                        MD5:A8517B773F4BCE6C46D522524B257523
                                                                                                                        SHA1:0A63AE9BBB1D0982A3E7B8F4D28B72ECA2E85DBD
                                                                                                                        SHA-256:FBF5FA9BDDA9C5D7AEF0D26F49F10E423F8F73B746A81CA8DDDBC07994AFFA5F
                                                                                                                        SHA-512:BB8B57E0F77743D54060E6A337D5BA58B2734BBCC4BE61B7173754D2472B32BF58896FAE3E9863F1B721D147ACAD2EC827B01D3880A5E701CB2492DA1DC85D55
                                                                                                                        Malicious:false
                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DFA0B4F0BCCDFA2C12.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DFA714FD0336E25172.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32768
                                                                                                                        Entropy (8bit):1.3688188162267472
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:1U3uDM+CFXJ/T5wqHyr9ySyedCw1S3VafPTDSbedCcb6QqyOMdZfe4:63lXTRHyr9y/nw1S3cXTDWnLQqgZ
                                                                                                                        MD5:52CE84801C5F74587A9B8B767F1E7BB0
                                                                                                                        SHA1:2046B7CA650B1B356EE3A539128674313559D9DC
                                                                                                                        SHA-256:FF1BCD88953473699F6AEBF05EC9EB0CAA1A96E216968ABEBE8CFBB88EBA8DB6
                                                                                                                        SHA-512:F15C1B4E46DD85E1A2B2CE124D88A876355DB55AA37FA7C9CCABB55045D6C6C920727238D9E8F913FBEE34530225A9D6C5D6DFF3ED7E9CA649DBAFC63D5A4FA4
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DFB162877D77ED7A05.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):73728
                                                                                                                        Entropy (8bit):0.3382338459737986
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:W8Z7ClFHGSGdoOdokQdoYdo+dzu8dzWuCL1SpdoOdokQdoXVdo+dzu8dzWuC1q8N:W8Z7IHG2uoWuCOluoWuwq8BAlgB
                                                                                                                        MD5:906EF3596E1EF45A6174FFBBE1A88C91
                                                                                                                        SHA1:184E19D9F6CB07C5B3832C90A796CB7F4881221C
                                                                                                                        SHA-256:8005E419DEA280E35592883718D8465D330B142384463DC7FCA32DDA6B3545CA
                                                                                                                        SHA-512:319D0951E38F6303FFB947EE97421FBFCA5C6C60C1AC6AAEEAC64EDF4CAAEB5F9D28C417181BEC25071F3571013F78C071E8282162BBB91E2280CBAC04DF8262
                                                                                                                        Malicious:false
                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DFB19FD402007CBBEA.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):20480
                                                                                                                        Entropy (8bit):1.7252612709362465
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:d8PhvuRc06WXJYnT56Hyr9ySyedCw1S3VafPTDSbedCcb6QqyOMdZfe4:Ahv17nTUHyr9y/nw1S3cXTDWnLQqgZ
                                                                                                                        MD5:62801F68361159D48C73ED577C09AB08
                                                                                                                        SHA1:57521D542FB3B9D2455804D1287472BB2335132D
                                                                                                                        SHA-256:8EE36998858A42CA43FE817E6ACC0808AE142962DA15E778C2FB7719053C8D5E
                                                                                                                        SHA-512:DD80CCAC51E0A70C641EE60DAE5D260E06836AA1772E68FFA9098E5FF653F500ADE08A137E62D99936FAF88B24CC5243A8380AACA4B3370D985439C0A179FC4F
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DFB218032686E3CC5C.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):49152
                                                                                                                        Entropy (8bit):1.2494559615919172
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:alwLT3DaFQl8FOluoWuwq8m2uoWuUHcZ7W:cwLzWFK8FOxbi9lW
                                                                                                                        MD5:5CB76699E55E1C56D47F04CEC8BF85C1
                                                                                                                        SHA1:449D89AB1E8F1A9F652B43B8DF085F4C17CBCFED
                                                                                                                        SHA-256:EE1AFFC1BD877CA31EA5D6E3A84B698D755E623F13DA74507F0947045D5BF2F4
                                                                                                                        SHA-512:7A577004BB930F31BDCB51D2AF97E6954FEBF4405CCD9FAE50600458B81A5CFCCA2D71D01F95AC09C6F42D362EE365B8CB10045DF2A3C884851707990732BC3E
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DFB76FA6DAE3ECFEFA.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DFB97888A48B870D8D.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DFBB6775C9763654F8.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):24576
                                                                                                                        Entropy (8bit):1.9154320419881963
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:Jhd1/nT0FQl8FOluoWuwq8m2uoWuUHcZ7W:x1f4FK8FOxbi9lW
                                                                                                                        MD5:C7621976C6FC6357708B1495B083322B
                                                                                                                        SHA1:3821D6CC9F9680AF833323F880EF99696D43C2DC
                                                                                                                        SHA-256:B8FA47D261E5E346999545A52C372A40C87333D013380B6EC9E02C3AD6426BE0
                                                                                                                        SHA-512:A7D2AE46EFBF9FCF7E8E7EC4E8C9818D32840A279BF7B6CBA5DBEAEF00223FEC1E6FB8091DFBE8364FD669DA37CC17A811EEE9FE244691B7A908F1D468E26DEF
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DFBC8D23065A958169.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):49152
                                                                                                                        Entropy (8bit):1.2494559615919172
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:alwLT3DaFQl8FOluoWuwq8m2uoWuUHcZ7W:cwLzWFK8FOxbi9lW
                                                                                                                        MD5:5CB76699E55E1C56D47F04CEC8BF85C1
                                                                                                                        SHA1:449D89AB1E8F1A9F652B43B8DF085F4C17CBCFED
                                                                                                                        SHA-256:EE1AFFC1BD877CA31EA5D6E3A84B698D755E623F13DA74507F0947045D5BF2F4
                                                                                                                        SHA-512:7A577004BB930F31BDCB51D2AF97E6954FEBF4405CCD9FAE50600458B81A5CFCCA2D71D01F95AC09C6F42D362EE365B8CB10045DF2A3C884851707990732BC3E
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DFC4BC6648ECAB471C.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32768
                                                                                                                        Entropy (8bit):0.33578196856874776
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12:oBWxx0i8n0itFzDHFiuBp0Ylt7EpPeJMVvh/J0yBp0YFzdIpHMsULz29cUI9cURq:vxOF0mlfD0YUJegvZpD0YtdsHqt+mR
                                                                                                                        MD5:E062D1A015D2F223D5B29AA00AF5C304
                                                                                                                        SHA1:456522C6326377D4540CCAC38DEEC23F7A9C8FAA
                                                                                                                        SHA-256:EF9ABAC4C6DE39128A3B7CEBB84754D1627FAEB3C51D6C18A5585DA42B239E02
                                                                                                                        SHA-512:9DC302075DDC4C80E89CBF79E22B70F8AC33F2ECDD015BBD68D951CD97E19ACEB9A79B81C59C71EE52E8DBDD4F2A4532D1A4203713501A7C1F060399DE962FF7
                                                                                                                        Malicious:false
                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DFCE85393C60B4D744.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):32768
                                                                                                                        Entropy (8bit):1.3657206289989499
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:e7OukXprM+CFXJ/T58D4sHlVNSyedz7aDl6PTjSbedzcbjqyOIdZbe:cOZEXTmcsHlVN/+uDlKTjW+0q8Z
                                                                                                                        MD5:1D5F1CF0F6CC3DD18CC73A07FD631CC4
                                                                                                                        SHA1:CFEE2F9CC43D02D40C636CE4053873FA6EC6E4C3
                                                                                                                        SHA-256:BADEF4EB84673A4A6BBD023473E19AC23D2626F024C2680709D4087F83BC0CA4
                                                                                                                        SHA-512:BAB50B8EF290E811327A104D8C060DA01F0949CFD11B4CDBD9E25A6D0255AB85D1D0C91C292A46B291B34D1C8B07E4A3330112A9CA038AD9531C44C3CBA0F187
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DFD072106F1F039B0C.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Windows\Temp\~DFFD6107702F81EED2.TMP

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):512
                                                                                                                        Entropy (8bit):0.0
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3::
                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                        Malicious:false
                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\$shtdwn$.req

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):788
                                                                                                                        Entropy (8bit):0.09823380614560741
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:lbll/:lB
                                                                                                                        MD5:DF7119A5D3CAEDA80BF0FB6F8E53DE8F
                                                                                                                        SHA1:76458E1D2E0FA4519FACB71A5F23F8799713BE2B
                                                                                                                        SHA-256:3C418A401CBE09F64EDE6E598C5CA36717830446147C8EF6327168EDC7B1CB0C
                                                                                                                        SHA-512:85142D1942111783303FA060348BC76B1DD361336DCCC9DC9CDD3432EC6CF215756CBA66A367E560C9D5719BA4F585434319A66D9A97D9A09F5AC4A752B00B6C
                                                                                                                        Malicious:false
                                                                                                                        Preview:Sdwn................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1025\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1025\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):18080
                                                                                                                        Entropy (8bit):5.766442508142232
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:ox2SX2vPzBrSxWkeWDaCIc3q0GftpBjv8:OlNNi6
                                                                                                                        MD5:D8593BACB734BB0183C6D100739D61F5
                                                                                                                        SHA1:DCBA9A329BEA4826B69AD637EB403D5BFAD5A64E
                                                                                                                        SHA-256:EDEABC58C2C151A667A053E7AFF0D792F17306DF14FFC4C427266842F791F94A
                                                                                                                        SHA-512:CD2C28E7F75421461A9815FB4E4CBF2A8F9A6CC2725577FDF606426F949923612056A7065B23254B1E9AEE06F351EB8927ED0AA79380855F5EA5B619B0FBBDB9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........(...............................................P......1<....@.......................................... ...$...........,...............................................................................................text...G...........................@..@.rsrc....0... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1025\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):159122
                                                                                                                        Entropy (8bit):4.973733509322075
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:Rzh9hPd5MnYK3Tj7xS+MiPf8b7Qh+C6zs8kWblFl6KRDqP4eLRSTU8elKlDpsgjH:RzlCDCylpPrOaaFlRwE
                                                                                                                        MD5:CF60C7C03A7259D88E99E56389513BDB
                                                                                                                        SHA1:B0C24D71598775AA8024FAA2BA538CDB7EE8E62A
                                                                                                                        SHA-256:7CD420D6C323EC36FEB967AA3334AB36129C2CE5F8699F9D1B17B11CDE307874
                                                                                                                        SHA-512:4452CE62AC4F0BD6BB5ABA24128110958E6AAE8C07C11F963B04469EE39880E6AB38A1FB8EDCDB3B54A4D81CAECADE47CD876C96CDC4BB778405B550F3823DC4
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????\'a8\'ac???};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f367\fbidi \fswiss\fcharset0\fprq2{\*

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1028\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1028\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):15008
                                                                                                                        Entropy (8bit):6.106786298419671
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:rzuwLmlCW1g+/kmXWpnEWvaCIc3q0GftpBjLV:0lpffG3iVV
                                                                                                                        MD5:33C45551F18E80F8258E1ED07ECAF727
                                                                                                                        SHA1:E7A04454C093CA0DEC56B02E868E151109597F8C
                                                                                                                        SHA-256:F7F5CCF7B3C0014073E35662FF64B6E6B12B3CC0AC614E0AE761E9FB7B2F46DB
                                                                                                                        SHA-512:9F355569CF6F2E945611DC907A792239881226BFBF01BC3E69A4F21E4512F9F3B35E15A1784E8279E14FCC296B9A3EE656E4F07C564FE2A5D3F0AFFDA9F7F9B7
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........................................................@............@.......................................... ..\............ ...............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1028\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):189807
                                                                                                                        Entropy (8bit):4.988103229844314
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:+xJtNoEXbnjdNxVn5oI7iQyI+zrlMcEUAm7lLhfp+L4RJAcJXQTGZBENr5ztQHKU:ObjdNxVn5oI7iQyI+zrlMcEUAm7lLhff
                                                                                                                        MD5:DA544E5765610415F7B85EAAF2BAB48D
                                                                                                                        SHA1:EA7891A3A703571102760ED68CE595F105F78EEE
                                                                                                                        SHA-256:948292A99026D7A150973902BAAFD55CB19465CD1A74765D593B091B92B48E1F
                                                                                                                        SHA-512:DD378C07E9F77B3B5BEF29AD3B3BBE0AD23B9C3BB129FE8E25FC2CB6262AF01F6C3B8F371796F026B5DAD32E4AB17F2B75AA36EEE0110A8D70EFDC196AE9B7D8
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch14\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f14\fbidi \froman\fcharset136\fprq2{\*\panose 02020500000000000000}PMingLiU{\*\falt \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \f

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1030\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1030\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19104
                                                                                                                        Entropy (8bit):5.3920443507238165
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:2BX61hALPTIOCWp9feWPfEQq0GftpBjwfB:28kPFiGJ
                                                                                                                        MD5:34517F671E26E214CE928D76DA001255
                                                                                                                        SHA1:BB1DDB8101E34E35FA49724BADEC2DA951783C05
                                                                                                                        SHA-256:3F86499FF5F2D0019ADEA53B022242869AA1FDDC76D37E90A96F13C064D88012
                                                                                                                        SHA-512:6DBF8AB7AF29BEB8EA02C8C8193A50F037F56DD7911D4EAE1BB101475188D74A5C82200677DF1BB186BBF528206364D3C38D102C35B94E958B6D0461F9BF64D9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........,...............................................P......Uo....@.......................................... ..((...........0...............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1030\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):168158
                                                                                                                        Entropy (8bit):5.010437753886654
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:vInJ+MjXrRJAezEDuiCEmYOUK/IbBRZQGZOH52j:A06Gn
                                                                                                                        MD5:8A30BE24777F3FF5C8A8078D423ECBCF
                                                                                                                        SHA1:6FFCE07D713114494FDB168E6EF069C5384B40EC
                                                                                                                        SHA-256:843C9B45DDC3A402269E28919823ABF1C82E6D13BBFF6EE25A317010446F1694
                                                                                                                        SHA-512:53E5FA45CA3FB5BD38757193B2FD932695A38D823A2276BF009167FF7E52EA1EB0C2C8E939438688C7D0A42B0C2E8B15AC0385BE5E418B66C3C31E182E546A73
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*\

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1031\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1031\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19616
                                                                                                                        Entropy (8bit):5.29186903928536
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:Xc16m3rhGrcHN/USYvYVABWKieWcfEQq0GftpBjR:XwhCSVYvYVA0cFiX
                                                                                                                        MD5:9308820ADFB98BF18E98DA8088070500
                                                                                                                        SHA1:D8DFE0542A0590C7DAE08AD798540AC910476616
                                                                                                                        SHA-256:A712BD7F6139C0354001B3A58278AB98BEBEB4EEBFD05FE1465ED277AA090B8A
                                                                                                                        SHA-512:36100BD238F8E9FD21761F5415741170D4E5FCBCE1E60414BFBDEB89E285C183FC32A6A156864A31BA09964B3B04E8D55E39E6743A7A4C16A303A19C6FDE1C4E
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........................................................P......w;....@.......................................... ..d+...........2...............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1031\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):144106
                                                                                                                        Entropy (8bit):5.04416582801015
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:N5gEPm3ERiA7JzI3ilBEBr97dQnKG5zpZ27KNz:rt
                                                                                                                        MD5:20698F43906A615DA1AD18FAF5334F9D
                                                                                                                        SHA1:7DF1637485954C478ED316A148E6C5528B7D12B2
                                                                                                                        SHA-256:960422F2172B73D84F1D013FF11355202E4B6CB1C33CE0DF9149735E191C07CA
                                                                                                                        SHA-512:6EFBB5B7ABCB5AC41A71E5E3241BA833E0CFC355D6E6A56199F55F83FB2E6D127074ECC9B13378EC2C3C4DD37FE934A93814FCC8D7F15698DCAAB2A450EB9D95
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial{\*\falt Arial};}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 02

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1033\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (581), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):40284
                                                                                                                        Entropy (8bit):3.5377528456795426
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4XkNf3hyhJ7qevmf9MhBmWVwzWsOIf4QVSru9SJOkR6NXaxu:gkl3hG9mf94BmWVEWBIgQ0raSJM7
                                                                                                                        MD5:FE6F7C73707C607D9F520C17E73C6B5D
                                                                                                                        SHA1:4DAB1FA7809BCAFBABD9431702068A861E39F1C6
                                                                                                                        SHA-256:1E18479BCA633D81EA61A4251986DF8B801ED9327A2CD14C86093D7F9A774AC4
                                                                                                                        SHA-512:D4608B264771E99249C1B0250319DEAF43CB40251C718B682F696F4E9CEB27EC23A0CA1969DF4A6222BA48755BC6ED0680DD675B7215250B82462649B3FC24C0
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1033\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):18080
                                                                                                                        Entropy (8bit):5.322153302544614
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:mgofWpkeWZ9ygC/TfFkWfEQq0GftpBj+FX:+j4/DFFiu
                                                                                                                        MD5:ED86491EB017DB64F2BD735607AE4DC2
                                                                                                                        SHA1:5F5CA1AA92340D52C91E4C8DF1F6B3AAA8260DE7
                                                                                                                        SHA-256:281654582D6912A994B3D649B89FDC0B9BB1E5FF751D0165BDF35F6F4E89A786
                                                                                                                        SHA-512:E33A3A9091F28F7B5E4D93AEA54577A321092E9C42BC15FB8F2996F4F657C42D6F2F9C0437A9057B4740C2DD00A939A53445D1A364F87C8F488E2CC0E29C04AB
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........(...............................................P.......b....@.......................................... ...%...........,...............................................................................................text...G...........................@..@.rsrc....%... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1033\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):163998
                                                                                                                        Entropy (8bit):5.016380895489512
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:h3AxL/D7r21XgRJA8J/snalBEm0OgKXIJR10GZybh2md:RAPd
                                                                                                                        MD5:C51CC1E49358A7AD3A498B737F642A2F
                                                                                                                        SHA1:96540D2327C47603D6269F1BCE72132EC0F7D3B8
                                                                                                                        SHA-256:7054959C27F600CF5EF0F748E294BA3E529CD825F12246777AA6F6EF476E556D
                                                                                                                        SHA-512:420B607FAC7F3D9A417323EC70652956D238A4742F383BBAB7E26BC3E4DFA8F8B3F040644CB9124E9B4B21153C4EBD12DB92BE5EC90A2F56FDBFA57D43080335
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1035\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1035\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19104
                                                                                                                        Entropy (8bit):5.327661667381336
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:91kinUfwVWVRdufl0fXA1Z1j93S0WHpdcIirs442QzWMkeWjlqSya6HIp24uDBk2:9i16Lwz51VWMkeW4aCIc3q0GftpBjrC
                                                                                                                        MD5:756D11A756A878D6AF0536760B2E12B2
                                                                                                                        SHA1:E87A302DDF02CA34818880BDA124FC7D68AAD098
                                                                                                                        SHA-256:4F4B5A16924C531C9DDCA1E09B32B54BDAD5723FF1649906AA20ADDE214D69F3
                                                                                                                        SHA-512:5D2BF6E1C9B959BF8317F51004B6C735C00FFD2C3DB023E3CA9023913FDBEBA4AA754FFBF73300E7D551541F0408732E190745F18FE43E4ACE1DBD96E2DC92D9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........,...............................................P......f.....@.......................................... ..|)...........0...............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1035\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):155201
                                                                                                                        Entropy (8bit):5.032612994966786
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:K5H34RJAcJXQTGZBENr5ztQHK6u8GiSc90:YHh
                                                                                                                        MD5:9B168D32CB33CF79723A4D8C134EA249
                                                                                                                        SHA1:4C0AC8E205D5069A4FFE45335512EB09549F95D2
                                                                                                                        SHA-256:4C25A4B4AF5ADD754116C34DC875185C15B1947F58A27BB30CA9ADF06820F470
                                                                                                                        SHA-512:88D143FC8D766D48578A0250F67A3D6FCACD737651EF34F270C016D162F284BACE99081BB0AE88F6CA9299A2F197125195B2754BA30C78B1C6D9510E2681C221
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1036\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1036\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19616
                                                                                                                        Entropy (8bit):5.271105830776341
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:snZ66AY9li3OoDDkbmWpAeWjaCIc3q0GftpBjKf:sLfiZDgmtig
                                                                                                                        MD5:8FA521DE84995A6F89B0D81370D6E1EC
                                                                                                                        SHA1:06F5E034D53DC037EA3E1966FB7B9F0144CB834D
                                                                                                                        SHA-256:846EEDEC28A5A16807874A7CF92A855970B089BD010AA2FAA982D25CFB9D1445
                                                                                                                        SHA-512:BE1639DAE1B52F12B15F6B25962D5E0ED42E9A3A87B3EEC90E844956A56AAA468AC9E6EDECF5BF91B1ACDE3FA6E4F81D0F9093B9AB189DB20F5D88E3E8377977
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........................................................P............@.......................................... ...+...........2...............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1036\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):160816
                                                                                                                        Entropy (8bit):5.023465722024373
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:hk18qMRJAwJjAXetBE1rRbe+KusGWqcJ2f:m5
                                                                                                                        MD5:40188EB3E79733C3E9D36A9A9C072E78
                                                                                                                        SHA1:B07CCC42A94A1142A37DAF45A850910F497645FE
                                                                                                                        SHA-256:4F24556B2960559B93A0C5B1FB5145432D2AD225692BBD2BC92C1A30453340FA
                                                                                                                        SHA-512:55868E710AA593C597AEA8E975A9665A642B3CFAEF18363D77FDE7E7DA17EB4A19B5A491718E73F071E58169683EFE13CA495771E36018D73CC9F6F22C8BC242
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1037\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1037\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):17568
                                                                                                                        Entropy (8bit):5.878590477877689
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:fAXkdHUfwVW13jowXiTeISvjpHawC1MWWeWlGLeuDBks/nGfe4pBjS7anTnfV:fl06Qrw5MWWeWA5q0GftpBjHnzV
                                                                                                                        MD5:8718207FFF4D5305CE6F82260223AA63
                                                                                                                        SHA1:CAF4EE4AF63DD1C3DB1365F10100E27072A5EF80
                                                                                                                        SHA-256:A0104CF7F6AAEA161353A0751F63793F579FDBA14177932E92A2864D67C5BADE
                                                                                                                        SHA-512:CE26CEA5B8D9C452A688E46965D1FFE82279B46CC98F00F9369986ABAA1A91EB94495810E39C73D8E61584DD084D1269150950B934C2F206D888BE06D659CC18
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........&...............................................P......e.....@.......................................... ..."...........*...............................................................................................text...G...........................@..@.rsrc....0... ...$..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1037\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):143461
                                                                                                                        Entropy (8bit):4.992111412514566
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:4zhUUVMeNkfjGuVjvxY7uCEM7TZe0cFhxHy5qnWi+iJyuinVZDJzQC69V72nOA3+:4ur0mw/5O6xY
                                                                                                                        MD5:79036650E9DF1891C51E4F4CF8D718FB
                                                                                                                        SHA1:43CFB5EC1E920AA2E669FB9DBC562C7CCF2F79AF
                                                                                                                        SHA-256:3B7E74C398477F6EBAD95433C66D58348579C5335ADC5F2C1FB206DF4CE7D8B9
                                                                                                                        SHA-512:DEF270B07B64DE1ABD8E09309279A96FBF023263560EB7C554396B16559640106AF8E2AFD2871F1A6688659AED3C899EB32EC09848C042B2014786BF4C4854B9
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ????????\'a1\'a7?????};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f367\fbidi \fswiss\fcharset0\fprq2

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1040\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1040\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19104
                                                                                                                        Entropy (8bit):5.307480013444462
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:jnn6Tg7AtONBKHno5FWneWFy36q0GftpBju:jbAbsa8kiU
                                                                                                                        MD5:FC964FEADD0EB41C1CD44E78B80C2B23
                                                                                                                        SHA1:DB4923583685B4DAC8C81A5A0DA0CF6A6C1EBED8
                                                                                                                        SHA-256:670009D4F0C9B4191DF8DAA660303EA55F68D510100B3CA280C5BAC8B8639F44
                                                                                                                        SHA-512:E0AE9B71611535BDBBD859161ED2F05C1E1BBC8835D0B53BB05680082967499C06F9FCE66751399B9CB770C3DB5C8D78FDC1B2EEC1106BC888621E80D852AD3A
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........,...............................................P............@.......................................... ...)...........0...............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1040\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):185981
                                                                                                                        Entropy (8bit):5.006970219166777
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:vYu899MRJAwJjAXetBE1rRbe+KusGWqcJ2r:oV
                                                                                                                        MD5:537C50EFA2C96FFCA241D59141A76A81
                                                                                                                        SHA1:8EFA6A6EF3C53C96E323D461C4AA5E60E1D45289
                                                                                                                        SHA-256:8C0CE4C5FDF6531FA12E68B6408B8DB8811DE7BA8276585FF328B374F8381B5C
                                                                                                                        SHA-512:625099D981579A4074BE8CD4E97B70468F4D14B0BEEEB674CAA74D54E1CCF6236ED37DCF77A42633AFFA0C0637194BAD30467E5F082B39D5DD0E99E252BBAC53
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*\

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1041\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1041\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):16544
                                                                                                                        Entropy (8bit):6.057737660734426
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:DhC7mS53JkNuW5UEWXaCIc3q0GftpBjBA:OmSkAji/A
                                                                                                                        MD5:05DC63F5BA455A4F71351C40F709D836
                                                                                                                        SHA1:7CA7A532679CD00B92C2FE7459ABE83FDD9B8108
                                                                                                                        SHA-256:74A4B386AEFB9AE7E01F8E61F576AAEB70EECEA4200B6AF4EA984B6A23BDE95E
                                                                                                                        SHA-512:AB9541A83404DCF303BEAE07D0A502F3DA149560416D5EB493E31F641660CC09CC5F8D7E57C3373DF8A2D926DB8B5A1BB8AE6CC7FFF1D8354B2ADD080215ED9E
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!........."...............................................@......E.....@.......................................... ..l............&...............................................................................................text...G...........................@..@.rsrc.... ... ... ..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1041\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):185073
                                                                                                                        Entropy (8bit):4.95667011370172
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:wdz8RJH7J3g7i1BE5rBvNQnKSusdZOc5Jw:c
                                                                                                                        MD5:2BDE42A55EEC09AD183F8FCF278337FC
                                                                                                                        SHA1:879D01F5D4B5F5668E012D6EB33D3717FF9ECB04
                                                                                                                        SHA-256:829717D58EF665B46B77ADD1A2F9AC55423963F1F732FE3D9ABB0B72350598D0
                                                                                                                        SHA-512:8CB7F9AC06DE808E906A72C3DDB67BF3077E9BC79A67E9F2489EF5756269B15C32732BA6F0B1F37B1CAD8551E5B186BF943E4AF3C6A8A09BAE3BBFAFF3DC383C
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial{\*\falt Arial};}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1042\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1042\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):16032
                                                                                                                        Entropy (8bit):6.10084617158501
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:xpix6f+jYxzekdPKNS0N7gVCAgWpyeWmDFI/duDBks/nGfe4pBjS7UlPeg:libMj0lgRgWpyeW+ywq0GftpBjZlP/
                                                                                                                        MD5:53F62CD74599E622641EE9CD23620790
                                                                                                                        SHA1:8D7419E7A009CEB5F81D4B0893EF3A40487E8FB8
                                                                                                                        SHA-256:42715FFF862879575B4042EA6ECDBCDE5CB68F673D6C9795B8670DF9C6C821A0
                                                                                                                        SHA-512:FBF835D529A7DAB2F48D4D66C79ED60683BE96EE0D8DDF971A3499ABE520808975CD720E2693E00A64512D6C3D4F0DB28F45AE7087D7B2F621C911CBA0003243
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!......... ...............................................@............@.......................................... ...............$...............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1042\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):363487
                                                                                                                        Entropy (8bit):4.840413724364087
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:SWqnIeJA7VHLWiiEmQO/xvI1RhFZiLKd8:qj
                                                                                                                        MD5:231BCDD91D4BEAAEC841FBB5BEF8177E
                                                                                                                        SHA1:14848888FCF9E80C8D832C682A33C3038E9DAFFF
                                                                                                                        SHA-256:EE213E9C14D1391F0D0771F0E672A0C5804C8E57B989E5C199C290CC498051A4
                                                                                                                        SHA-512:2902012E62A020A595FFA6AA648AE55F41B996BCFED4ABC2766FDD664B87347DD91934F6DC5CD08C2DC25D3DA843C4A0812733C334D5E21B25B2A1F952BDE36A
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch12\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial{\*\falt Arial};}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}Batang{\*\falt \'b9\'d9\'c5\'c1};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f20\fbidi \fswiss\fcharset129\fprq2{\*\pano

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1043\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1043\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):20128
                                                                                                                        Entropy (8bit):5.258300957443283
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:g124Y0WDDkowwX8OZjv1t6WVLeWty36q0GftpBjb:oYZ1kki5
                                                                                                                        MD5:99B9A985DBE30B044380CFAF95579F16
                                                                                                                        SHA1:E4C5CC5AAEFB534FDEE61A2BE25F7A39BB0AB1D2
                                                                                                                        SHA-256:399A838B9C61696536D4B1AB29E6765781A69D29A6CD3B20EB4A221A18B27AEF
                                                                                                                        SHA-512:754D17482A019968490A267B68909F2F6E49999E3463EE9C5482D1E3FFDCC752FE3B5B1C20D630462451109F23D11FE7C19C6ADE8CBAEF830425D96A35920A82
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........0...............................................P............@.......................................... ...,...........4...............................................................................................text...G...........................@..@.rsrc....0... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1043\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):139568
                                                                                                                        Entropy (8bit):5.039707527027802
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:d8f9gRJA8J/snalBEm0OgKXIJR10GZybh2y:f
                                                                                                                        MD5:47B9B0787AAA0074C985F8283B0A3DBE
                                                                                                                        SHA1:D9D3E387C16FB4C23E0577A79281192F0645FD2A
                                                                                                                        SHA-256:97AB3F8B49F324A07AB924D432017F2171C40AD55F6F8A8CA109505AA2F0C267
                                                                                                                        SHA-512:64251E21557EFFB58777139085122C681762C2BB84F8483F24E3493CC27DB2A5B60134FB99C25D7DBEEF6B78AC06FABE1BECB4A557B6338858CC7D73DEADBC2B
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial{\*\falt Arial};}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 0

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1044\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1044\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):18592
                                                                                                                        Entropy (8bit):5.364646476975497
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:BNeu+Oeu+Oeu+rK56qxYBlgFAcUm/nWNeW+ywq0GftpBjtO:EkxYBegm/66im
                                                                                                                        MD5:41BBE49B5A05DBD3864BBD5392717D97
                                                                                                                        SHA1:7F6301DDD82B22C18F6630EFDCD30BCA43D96C4B
                                                                                                                        SHA-256:BF5E03045473C188CFFAB21E5CDEEAA3A4A577989574AA6AB54F8F9DD5322BC5
                                                                                                                        SHA-512:527556399F42E9419711AEE162A0A3E931DFA67AD511093401274C89D823C682A347FA2B36D0FCF7E005F5449F92536933184009FCEE164597B6E9ADF60FDFAB
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........*...............................................P............@.......................................... ..x'...........................................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1044\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):169920
                                                                                                                        Entropy (8bit):5.025124256028609
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:r/ZuzrRJAezEDuiCEmYOUK/IbBRZQGZOH52h:7YS9
                                                                                                                        MD5:6E915CB5F3C61DF9E8989215B0B52A7F
                                                                                                                        SHA1:C66A59735E415A31247D251CA73D54FA2D81468D
                                                                                                                        SHA-256:24D159E031B4CF202A3DC0FE36C9BEA4042DB908CF4697FD36D94326B1291FD3
                                                                                                                        SHA-512:F4B826C3DB7B6964A4BDA5F7E3F8FB99F1F1E1A311F5ED23CA9E19AF4ACA645A8E9B4A624C9871B76490854A14DB810F1A061A38581EEE683EFBF415B8AF67A2
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1045\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1045\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19104
                                                                                                                        Entropy (8bit):5.43951060277537
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:1a1YUfwxWVxSIn+hnISv7N/blaRr2+W3eW6kLeuDBks/nGfe4pBjS7uFMG:MN2Gan9xblaRr2+W3eWr5q0GftpBjt3
                                                                                                                        MD5:E69DD78810F7BAF01937EA401B439055
                                                                                                                        SHA1:C6A07607736A2DE5223A6F5B6A206145CC7939C3
                                                                                                                        SHA-256:695C68E64DADB58C8B7DF6F521259F35B42AA0DB7C70D2ED9C54B05D81CDE753
                                                                                                                        SHA-512:F2AD1597EF31FB3A4C507BDE98F80B6832CC67DA77858C8AC7BA1CFAE2DDE0603660DB82B43DACA2A4AC46DFB7E0F62D21C256F4C6DDC648810F4783EF671F83
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........,...............................................P............@.......................................... ...(...........0...............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1045\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):164446
                                                                                                                        Entropy (8bit):5.050884337061002
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:vUv97PulMRJAwJjAXetBE1rRbe+KusGWqcJ2v:M4
                                                                                                                        MD5:18179A39C64AD36E7B4B04A77A5B7D55
                                                                                                                        SHA1:4425D4B79F2BE92EE5C585411335A68DA3EC1525
                                                                                                                        SHA-256:DB44591F40F59D2F90FFAAC4E4A6581F9999AA278948D16D14329B979D0B3F1D
                                                                                                                        SHA-512:F30C46A417E4E4463DACE9F174C052F162CD395BE76FE1D4057C0A2D8E72E7C69EC3951C0FD229D02E6A811B27ADF8719C312740B26165F3BDCD897E89D29A04
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch11\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1046\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1046\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19104
                                                                                                                        Entropy (8bit):5.364849479933463
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:A3kTnUfwVWwwZFf7TOS7LDoKGslNDGf8BnWdeWthqSya6HIp24uDBks/nGfe4pBy:A0m6QT7FprmaWdeWWaCIc3q0GftpBjH2
                                                                                                                        MD5:E1C4B585E9F46C7D1AA57A712DC6EEB4
                                                                                                                        SHA1:FE7F6E35425E27DEE0BB04B79458B3D3BFF09C44
                                                                                                                        SHA-256:370F03B2B79FF527F2D28654A34DF12AB47F998FE375CB18D94B91B1190BD413
                                                                                                                        SHA-512:CF27E605A273CB80E9DA8E13260DE6E66095A230107AF1337F6742D45B88746D3719D9D7D027BC168E7FE01886AFF545B08B2A5799950ABE0FEEF9D18BD6ACDD
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........,...............................................P............@.......................................... ...(...........0...............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1046\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):176888
                                                                                                                        Entropy (8bit):5.002262883456205
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:v0WngRJA8J/snalBEm0OgKXIJR10GZybh26:cJ
                                                                                                                        MD5:4332311006888933DADAD26E82664456
                                                                                                                        SHA1:0D5B80C0082ED983E7BE2D23F7EDB39AC42EA00D
                                                                                                                        SHA-256:1CE4F0DC96B5DF308305584F1AE22C2CE1102A9580AF80A53AAAB8EB83CA642C
                                                                                                                        SHA-512:4A1BF079E2A9AA9E36C99449FE0C5BA67F4A9370EF3804F9BD1BA236340386C0188C05E72E7C68E4461D92688DFE8841F88B7020C504B7BF66B348785E712966
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*\

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1049\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1049\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19616
                                                                                                                        Entropy (8bit):5.752719890410503
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:alBvnUfwVWBC623DV3SD1tt9WfXHT7nMI2xeWK+FI/duDBks/nGfe4pBjS7xmA:aDC6+URiD1vwLobeW1ywq0GftpBjm
                                                                                                                        MD5:0E9CB9E7DEC50310FA67F8A9B5A90FA4
                                                                                                                        SHA1:A5EBFE9ECA02A4C0A74434559D12A7BD27D72A92
                                                                                                                        SHA-256:DD409D61DA9A02B95E42CF85DB9F3BCF4D6CAE36A23D8C6B5814482E874AF5BE
                                                                                                                        SHA-512:2B45FE87ED7903A3D40CE7E4D2C65DC7AA54C065607BE79C642C35FD4EA16BDF227D8860A445F86AA2F937B12FBFF98AB3E1D3BE3132D1518F272EEF9C4A863C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........................................................P......Tm....@.......................................... ...*...........2...............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1049\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):213599
                                                                                                                        Entropy (8bit):4.932887686592641
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:iMs8RJH7J3g7i1BE5rBvNQnKSusdZOc5Jk:e
                                                                                                                        MD5:8FA9093D854DD493FA0551E847E182C1
                                                                                                                        SHA1:B555DA4A2FC2013CFC569082F8C311BA9D640C90
                                                                                                                        SHA-256:BE7808A614C4604E1E97D37487C8F8C86E69AEDDFE2BAAA0E74BA02FCBBC3E2C
                                                                                                                        SHA-512:28EDA7235865CC68D517722915014F6616914EAB0A31120BD8E066C2AF255926A3B9E0E76CE4B5076DE8634D22F20FCF559A45B551A59E47CF07E095467279C3
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial{\*\falt Arial};}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 02

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1053\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1053\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):18592
                                                                                                                        Entropy (8bit):5.354489912379098
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:axU6qxM8IJu5M/oZVQZWpieW6ywq0GftpBj8U:aExMwLViWiZ
                                                                                                                        MD5:8031460BFBBA3A081A18A17AEB7F69E4
                                                                                                                        SHA1:EAEB6FC887106B94F825991657832286370E2888
                                                                                                                        SHA-256:E24A420811B72C08869E7420825169C791BA72E28DFF7AAE3B573BE82660DA6F
                                                                                                                        SHA-512:F43A37DC1B6D6CAC5A3C9E9B80A6EE9035C101A2BBD8F30E77C62AD7E3F82AFFB80C85BE65A2A0A94DD0F09898A34400780128EAA2BE7F3603C1E0FA0E445C6B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........*...............................................P......7.....@.......................................... ...'...........................................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\1053\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):173097
                                                                                                                        Entropy (8bit):5.0110230942141385
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:mMbPS47EGJA7JDnbyiBTmAO3FQ31Rdz5Zq3Khj:rmP
                                                                                                                        MD5:744F01E0DCE8AB0BD7483C7862CFA95D
                                                                                                                        SHA1:33E03C297697B479604144263F39508F0F6A5317
                                                                                                                        SHA-256:2FF20E0B3E20BC5BDE56F9ACF99D4CFBCD8838F0D8A0594FC3AE4BAD0FEA98B9
                                                                                                                        SHA-512:6E42AD4083C44409C7C0102C01D9255DFC3519322D99EC41ED878A484420A02EE29DA1EFC03C9C655AF7D00EABB8873D1330F1775BE32B1C331AF26E9D01309A
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial{\*\falt Arial};}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 02

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\2052\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\2052\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):15008
                                                                                                                        Entropy (8bit):6.150172640342626
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:4sLnUfwVWtTXjuQShyjK7pWkEWYBqSya6HIp24uDBks/nGfe4pBjS7WU5P0:beCTFhMKtWkEW3aCIc3q0GftpBjHT
                                                                                                                        MD5:09139FE9213E071CCE9072068AC27716
                                                                                                                        SHA1:27F31086C8584E0BA431B946BE8A087261EC508C
                                                                                                                        SHA-256:BDAE5CB98081DBB3D02D7A6C30D9CA5E738A0570EAABE05B9F2D7DC718BB784C
                                                                                                                        SHA-512:3D2473D26A30FE3DEC427B2DB630F6D8F8685CA910408FD863F79480A1D4128ACDD07BB870AE1B8566441AEC453D494D02592833C2346AF3312E3F36A08DC538
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........................................................@......6r....@.......................................... ............... ...............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\2052\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):223296
                                                                                                                        Entropy (8bit):4.980695202984838
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:UAL9Tu+H/4HMHZ30RJAAJLcbeRBEmAZKPI5HMGZ+R2I:u+H/Te
                                                                                                                        MD5:0D0A99667BDE846F63C90A954D849708
                                                                                                                        SHA1:FC27A9922D3B9A515D35D02CC31AA0056216CD9A
                                                                                                                        SHA-256:51EB28C21CFE9BBE59946E1F6851A3E166731CF46DBC875975F2D3E696CEB2E4
                                                                                                                        SHA-512:E41789F0A7867CCD322AF613A8BB218846BF2B8A9C0B189E7C35BBE169C1B8C599D428354867480E9DFBA5B39DD9195FB10ED05D243DDA4F70E6F083699F5C83
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\3082\LocalizedData.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (580), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):39960
                                                                                                                        Entropy (8bit):3.546136332718863
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:4vE1fXRqJZzSWHGfFchpWmlwD+s+gfgol6LuFqJ+kJqNvqBv:gENXR2dGfFApWmlk+BgooMLCqJUq
                                                                                                                        MD5:C535B0D3BAD7CD3764E4A8C36D7CC511
                                                                                                                        SHA1:03B90F562D1BC51E10B25FA39F79E00BD5C43CB7
                                                                                                                        SHA-256:41D63B6A88DE932DBCD7BE2C3028CBA9E2F7760DA88068F0FE1A2553C8FEB071
                                                                                                                        SHA-512:885247EB1AC9E98954C73C6139BC2382D8B28C06A6D4D782DC22EFBADED7C7EE902ADCFA258AB0A1388C45A87B54E4020BCE7FB49B7F845BAA415BC600125378
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m..."./.>..... . . . . . .<.T.e.x.t. .I.D.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\3082\SetupResources.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):19616
                                                                                                                        Entropy (8bit):5.334559203495453
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:C5v6Lbg2zZTf1JmWOeWxfEQq0GftpBjH0:C219exFip0
                                                                                                                        MD5:42D0CE4FC0D9A9288BD23429374D5865
                                                                                                                        SHA1:1645682C7DE6E5AB8E135AEE140A8CA1CA3A4B24
                                                                                                                        SHA-256:02441B04847FF987A961C3968405E21F0A3DD5875ED51906E3A8225A2F95468D
                                                                                                                        SHA-512:AF08FC313BBF6C4DE6C59CD0DFC4E7E0D8134F6BC613D1AC77FB0093ED7E70542BA223FF621692B06271D035816639F7530BC480B20F17964C064B9923102000
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L...Op.W.........."!.........................................................P............@.......................................... ..$*...........2...............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\3082\eula.rtf

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):143979
                                                                                                                        Entropy (8bit):5.026613511351579
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:OdwkNE1VK8RJH7J3g7i1BE5rBvNQnKSusdZOc5Ji:RkNuVS
                                                                                                                        MD5:478460CCC7C0080975D49DDEB89FBE2B
                                                                                                                        SHA1:2DC7DF50CA95A932F5BD0D1DF3801D4A513E6936
                                                                                                                        SHA-256:7E10681551708357273FC6A9CFE40E910AB28443F77F1E801603C0B546296E7E
                                                                                                                        SHA-512:2C1AFBC12FC97252B74BAA662CF1B618A8B7BF0A66E3132F4898724FFFD7B063B7C66A98C4CE2A48BAC15855C58B5FBB9554DEAC8506FA9AD629BC48EB288CA1
                                                                                                                        Malicious:false
                                                                                                                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???\'a1\'ec??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?l?r ??u!??I};}{\f39\fbidi \fswiss\fcharset0\fprq2{\*\

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\DHtmlHeader.html

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):16118
                                                                                                                        Entropy (8bit):3.6434775915277604
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                                                                                                        MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                                                                                                        SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                                                                                                        SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                                                                                                        SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\DisplayIcon.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):88533
                                                                                                                        Entropy (8bit):7.210526848639953
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdb:e/gB4H8vo2no0/aX7C7Dct
                                                                                                                        MD5:F9657D290048E169FFABBBB9C7412BE0
                                                                                                                        SHA1:E45531D559C38825FBDE6F25A82A638184130754
                                                                                                                        SHA-256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
                                                                                                                        SHA-512:8B93E898148EB8A751BC5E4135EFB36E3AC65AF34EAAC4EA401F1236A2973F003F84B5CFD1BBEE5E43208491AA1B63C428B64E52F7591D79329B474361547268
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............(...............h...............h...f... .............. .............. ..........^...00......h....#..00..........n)..00...........8........ .h....T.. .... .....&Y..00.... ..%...i........ ._...v...(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l.............................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\Print.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1150
                                                                                                                        Entropy (8bit):4.923507556620034
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAh:MjNyw/0NW9DOp/ANC
                                                                                                                        MD5:7E55DDC6D611176E697D01C90A1212CF
                                                                                                                        SHA1:E2620DA05B8E4E2360DA579A7BE32C1B225DEB1B
                                                                                                                        SHA-256:FF542E32330B123486797B410621E19EAFB39DF3997E14701AFA4C22096520ED
                                                                                                                        SHA-512:283D381AA396820B7E15768B20099D67688DA1F6315EC9F7938C2FCC3167777502CDED0D1BEDDF015A34CC4E5D045BCB665FFD28BA2FBB6FAF50FDD38B31D16E
                                                                                                                        Malicious:false
                                                                                                                        Preview:............ .h.......(....... ..... .....@.........................................................................................t?.fR.|bN.y_K.v\H.rXD.oUA.kQ=.hN:.eK7.cI5.cI5.cI5i.........th<..z............................................cI5.cI5...................................................qXE.cI5.cI5.......~.............................................}eS.kR>.cI5......................................................q`.w^L.cI5..............................z..~n..sb..jX.{bP.t[H..~m..kY.nT@.......................................................{..wf.zaM.......vO.......................q..r`.}cQ.w]J..lZ.......t.x^J...........}Z..................................z`M........{aM...............0..............................jY.{aO...........................................................x^K.x^Kk.....................................................n\.y_L...........................r...............................y_L.x^K&.........................s.............

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\Rotate1.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.5118974066097444
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+Wvtjlpr:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5c
                                                                                                                        MD5:26A00597735C5F504CF8B3E7E9A7A4C1
                                                                                                                        SHA1:D913CB26128D5CA1E1AC3DAB782DE363C9B89934
                                                                                                                        SHA-256:37026C4EA2182D7908B3CF0CEF8A6F72BDDCA5F1CFBC702F35B569AD689CF0AF
                                                                                                                        SHA-512:08CEFC5A2B625F261668F70CC9E1536DC4878D332792C751884526E49E7FEE1ECFA6FCCFDDF7BE80910393421CC088C0FD0B0C27C7A7EFF2AE03719E06022FDF
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... .......................................................................................................................................................................................t.r........................................p.nn.l|.z..........................................g.e.......................................................................................P.N..........................................P.OG.FP.O..........................................?.>...................................................................................................+.*..........................................3.2%.$+.*..........................................!. ............{.{.............................................................................................~.~..................................G.......................................G..........

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\Rotate2.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.5178766234336925
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5c:Md5EaxWbh/Cnt4
                                                                                                                        MD5:8419CAA81F2377E09B7F2F6218E505AE
                                                                                                                        SHA1:2CF5AD8C8DA4F1A38AAB433673F4DDDC7AE380E9
                                                                                                                        SHA-256:DB89D8A45C369303C04988322B2774D2C7888DA5250B4DAB2846DEEF58A7DE22
                                                                                                                        SHA-512:74E504D2C3A8E82925110B7CFB45FDE8A4E6DF53A188E47CF22D664CBB805EBA749D2DB23456FC43A86E57C810BC3D9166E7C72468FBD736DA6A776F8CA015D1
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... ...............................................................................................................................................................................................................................................................................................................................................................................r.p..........................................q.oj.hq.o..........................................b.`...................................................................................................J.I..................|.|...y.y...............Q.PC.BF.E..........................................>.=.........".!..........................................2.1".!'.&..........................................".!.....................................G.......................................G..........

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\Rotate3.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.5189797450574103
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5c:1gxPbXlBQ+gr1ffO4
                                                                                                                        MD5:924FD539523541D42DAD43290E6C0DB5
                                                                                                                        SHA1:19A161531A2C9DBC443B0F41B97CBDE7375B8983
                                                                                                                        SHA-256:02A7FE932029C6FA24D1C7CC06D08A27E84F43A0CBC47B7C43CAC59424B3D1F6
                                                                                                                        SHA-512:86A4C5D981370EFA20183CC4A52C221467692E91539AC38C8DEF1CC200140F6F3D9412B6E62FAF08CA6668DF401D8B842C61B1F3C2A4C4570F3B2CEC79C9EE8B
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... .................................................................................................................................................................................................................................................................................................................................................................................................................z.z...{.{...........................................................................................................................................................s.q..........................................y.wl.jl.j...............3.2#."*.)..................f.d.........E.D.........(.'..............................U.TE.DF.E..........................................E.D.....................................G.......................................G..........

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\Rotate4.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.5119705312617957
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5c:p///FPwxUrMunUofRReFNHRp5c
                                                                                                                        MD5:BB55B5086A9DA3097FB216C065D15709
                                                                                                                        SHA1:1206C708BD08231961F17DA3D604A8956ADDCCFE
                                                                                                                        SHA-256:8D82FF7970C9A67DA8134686560FE3A6C986A160CED9D1CC1392F2BA75C698AB
                                                                                                                        SHA-512:DE9226064680DA6696976A4A320E08C41F73D127FBB81BF142048996DF6206DDB1C2FE347C483CC8E0E50A00DAB33DB9261D03F1CD7CA757F5CA7BB84865FCA9
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... .............................................................................................................................................................................................................y.y...|.|.............................................................................................................................................................................................................................................,.+".!,.+.........................................(.'......................................................................................=.<..........................................S.RC.BG.F.............................j.h.........H.G..............................y.wj.hi.g..........................................j.h.....................................G.......................................G..........

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\Rotate5.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.5083713071878764
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5c:pXBHehqSayIylrtBg/bk4AgzHRp5c
                                                                                                                        MD5:3B4861F93B465D724C60670B64FCCFCF
                                                                                                                        SHA1:C672D63C62E00E24FBB40DA96A0CC45B7C5EF7F0
                                                                                                                        SHA-256:7237051D9AF5DB972A1FECF0B35CD8E9021471740782B0DBF60D3801DC9F5F75
                                                                                                                        SHA-512:2E798B0C9E80F639571525F39C2F50838D5244EEDA29B18A1FAE6C15D939D5C8CD29F6785D234B54BDA843A645D1A95C7339707991A81946B51F7E8D5ED40D2C
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... .................................................................................................{.{...~.~.......................................................................................}.}.........................................................).(#."2.1..........................................).(...................................................................................................=.<..........................................N.ME.DN.M..........................................M.L.......................................................................................e.c..........................................z.xl.jm.k........................................r.p........................................................................................................................G.......................................G..........

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\Rotate6.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.5043420982993396
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5c:tZ/u+HeilBh/F+Rd4
                                                                                                                        MD5:70006BF18A39D258012875AEFB92A3D1
                                                                                                                        SHA1:B47788F3F8C5C305982EB1D0E91C675EE02C7BEB
                                                                                                                        SHA-256:19ABCEDF93D790E19FB3379CB3B46371D3CBFF48FE7E63F4FDCC2AC23A9943E4
                                                                                                                        SHA-512:97FDBDD6EFADBFB08161D8546299952470228A042BD2090CD49896BC31CCB7C73DAB8F9DE50CDAF6459F7F5C14206AF7B90016DEEB1220943D61C7324541FE2C
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... .................................................................................................... ............................................$.$ ..0./...........................{.{............ ...........<.;..........................................C.BA.@O.N...............{.{...~.~..................G.F..................................................................................................._.]..........................................n.lg.en.l..........................................p.n...............................................................................................................................................................................................................................................................................................................G.......................................G..........

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\Rotate7.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.4948009720290445
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5c:p8os0iieX8iNVHX//x2sHYdoHRp5c
                                                                                                                        MD5:FB4DFEBE83F554FAF1A5CEC033A804D9
                                                                                                                        SHA1:6C9E509A5D1D1B8D495BBC8F57387E1E7E193333
                                                                                                                        SHA-256:4F46A9896DE23A92D2B5F963BCFB3237C3E85DA05B8F7660641B3D1D5AFAAE6F
                                                                                                                        SHA-512:3CAEB21177685B9054B64DEC997371C4193458FF8607BCE67E4FBE72C4AF0E6808D344DD0D59D3D0F5CE00E4C2B8A4FFCA0F7D9352B0014B9259D76D7F03D404
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... ....................................................................................................G.F..........................................H.GG.FX.V..............................).(.........G.F.........i.g..................+.*%.$5.4...............n.ln.l{.y.................. .......................u.s............................................................................................................................................................~.~...~.~.................................................................................................................................................................................................................................................................................................................................................G.......................................G..........

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\Rotate8.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):894
                                                                                                                        Entropy (8bit):2.513882730304912
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:12:pPv1OuTerb53mpOBfXjQuZfKWpIXE1D6HRp5c:91OEerb53eUQsflpIP4
                                                                                                                        MD5:D1C53003264DCE4EFFAF462C807E2D96
                                                                                                                        SHA1:92562AD5876A5D0CB35E2D6736B635CB5F5A91D9
                                                                                                                        SHA-256:5FB03593071A99C7B3803FE8424520B8B548B031D02F2A86E8F5412AC519723C
                                                                                                                        SHA-512:C34F8C05A50DC0DE644D1F9D97696CDB0A1961C7C7E412EB3DF2FD57BBD34199CF802962CA6A4B5445A317D9C7875E86E8E62F6C1DF8CC3415AFC0BD26E285BD
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............h.......(....... ....................................................................................................g.e..........................................g.eg.ew.u..............................F.E.........g.e..............................E.DA.@P.O..........................................:.9......................................................................................&.%.........................................+.* ..+.*..................................................................................................................................................{.{.......................................................................................~.~...{.{..............................................................................................................................................G.......................................G..........

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\Save.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1150
                                                                                                                        Entropy (8bit):4.824239610266714
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:Br5ckw0Pce/WPv42lPpJ2/BatY9Y4ollEKeKzn:h6kPccWPQS2UtEYFEKeu
                                                                                                                        MD5:7D62E82D960A938C98DA02B1D5201BD5
                                                                                                                        SHA1:194E96B0440BF8631887E5E9D3CC485F8E90FBF5
                                                                                                                        SHA-256:AE041C8764F56FD89277B34982145D16FC59A4754D261C861B19371C3271C6E5
                                                                                                                        SHA-512:AB06B2605F0C1F6B71EF69563C0C977D06C6EA84D58EF7F2BAECBA566D6037D1458C2B58E6BFD70DDEF47DCCBDEA6D9C2F2E46DEA67EA9E92457F754D7042F67
                                                                                                                        Malicious:false
                                                                                                                        Preview:............ .h.......(....... ..... .....@........................................................................................klT.de..UV..RS..OP..MM..JJ..GG..DD..AA.x;<.x;<.r99.n67..........kl......D$.G2!...............VMH..>3..=6..91.r99..........op.........q[K.G<4..xh...........s..A5..B<..=5.x;<..........uv...........q[K.....G<4..........tg..KC..ID..B<.}>>..........{|.............q[K.q[K.q[K.q[K.vbR.}j[..VT..OL..ID..AA...............................yz..qr..kl..]\..VT..PL..DD.....................c`..^V..XK..R?..M4..G(..A...;...]\..VT..GG................fg.................................;...]\..JJ................mn..................................A...gg..MM................vw..................................G(..qr..OP..................................................M4..yz..RS..................................................R?.g33..UV....................................................XK..XY..XY..................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\Setup.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 12 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36710
                                                                                                                        Entropy (8bit):5.3785085024370805
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:IXcWz9GU46B4riEzg8CKcqxkk63gBh6wSphnBcI/ObMFp2rOebgcjTQcho:IMWQ2Bf8qqxMQP8pc4XessTJo
                                                                                                                        MD5:3D25D679E0FF0B8C94273DCD8B07049D
                                                                                                                        SHA1:A517FC5E96BC68A02A44093673EE7E076AD57308
                                                                                                                        SHA-256:288E9AD8F0201E45BC187839F15ACA79D6B9F76A7D3C9274C80F5D4A4C219C0F
                                                                                                                        SHA-512:3BDE668004CA7E28390862D0AE9903C756C16255BDBB3F7E73A5B093CE6A57A3165D6797B0A643B254493149231ACA7F7F03E0AF15A0CBE28AFF02F0071EC255
                                                                                                                        Malicious:false
                                                                                                                        Preview:..............(...............h...............h...V... .............. .............. ..........N...00......h...."..00..........^)..00...........8........ .h....T.. .... ......Y..00.... ..%...i..(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l..........................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\SysReqMet.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1150
                                                                                                                        Entropy (8bit):5.038533294442847
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:MuoBP5lj49s9NRDe4LakKcTM8cv99uGzMN:MlFH3/Ri4LaN3q
                                                                                                                        MD5:661CBD315E9B23BA1CA19EDAB978F478
                                                                                                                        SHA1:605685C25D486C89F872296583E1DC2F20465A2B
                                                                                                                        SHA-256:8BFC77C6D0F27F3D0625A884E0714698ACC0094A92ADCB6DE46990735AE8F14D
                                                                                                                        SHA-512:802CC019F07FD3B78FCEFDC8404B3BEB5D17BFC31BDED90D42325A138762CC9F9EBFD1B170EC4BBCCCF9B99773BD6C8916F2C799C54B22FF6D5EDD9F388A67C6
                                                                                                                        Malicious:false
                                                                                                                        Preview:............ .h.......(....... ..... .....@..........................................M...........S...........................................q.......................z...................................;........q.c.P.K.|.}............C....................................;.!......................................................Ry,.*w..!.............-.........................................6b..8v................ .+.@............#....................4u..;a..............H.<.........=.C.............................&y..x.e.................$}......................................<.).........\.A............}..................................[.R.}.n.Z.C.y.Y.k.L............. q..............................t.s............r...k.........]{G..............................................y.`.z.h.a.N.e.P...............................................~.q._.J...............................8....................t.p..................?..................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\SysReqNotMet.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1150
                                                                                                                        Entropy (8bit):5.854644771288791
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:u2iVNINssNQhYMEyfCHWZZ7rTRrbWjcyuE:uDW871fdZ1lbWjME
                                                                                                                        MD5:EE2C05CC9D14C29F586D40EB90C610A9
                                                                                                                        SHA1:E571D82E81BD61B8FE4C9ECD08869A07918AC00B
                                                                                                                        SHA-256:3C9C71950857DDB82BAAB83ED70C496DEE8F20F3BC3216583DC1DDDA68AEFC73
                                                                                                                        SHA-512:0F38FE9C97F2518186D5147D2C4A786B352FCECA234410A94CC9D120974FC4BE873E39956E10374DA6E8E546AEA5689E7FA0BEED025687547C430E6CEFFABFFB
                                                                                                                        Malicious:false
                                                                                                                        Preview:............ .h.......(....... ..... .....@....................................../..F..........!....n....d..................................;.............,+..AB..UV..XZ...1.....S......................U.....................EE..\[..rr......NP.....^..............<s.....................!.$)..AC..jj..ww..{{..57.....4........01.................H..........N?8;..[[..ba..`_..TU....L.......bj]^..QP.........:..........)N#&..>=..GG..HI..IJ..EE..!#......24..mm..hh..,.............+N........)(..*-.....{-...-,........ SPS..zy..qr....qq......0NCE..33..%%........ZJ...."$..0/../1....?qRU............W}..)A]^..rr..qq..Y[...._z........CE..RQ..AC....8`79.........SU..ab......||..ef....ey...........QZ[..ZZ..=?.....(...d....................pr.....H............IK..jj..fg..*,..........]_..................[y.......(..:VQS..{z..ut..ab....'H...........?................||..ef..jk..................$%d....................W....................................*,n.............................HI......................WY

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\stop.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):10134
                                                                                                                        Entropy (8bit):6.016582854640062
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:uC1kqWje1S/f1AXa0w+2ZM4xD02EuZkULqcA0zjrpthQ2Ngms9+LmODclhpjdfLt:JkqAFqroMS9lD9Ngr9+m7bxpXHT5ToYR
                                                                                                                        MD5:5DFA8D3ABCF4962D9EC41CFC7C0F75E3
                                                                                                                        SHA1:4196B0878C6C66B6FA260AB765A0E79F7AEC0D24
                                                                                                                        SHA-256:B499E1B21091B539D4906E45B6FDF490D5445256B72871AECE2F5B2562C11793
                                                                                                                        SHA-512:69A13D4348384F134BA93C9A846C6760B342E3A7A2E9DF9C7062088105AC0B77B8A524F179EFB1724C0CE168E01BA8BB46F2D6FAE39CABE32CAB9A34FC293E4A
                                                                                                                        Malicious:false
                                                                                                                        Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................wwx...........w....w.........x....x.........x.y.......................p..............x.........q.......p.........q.................xy...........q.......................p.............y..................x.y..............y.y.............yyy.........S........x..........yy.............x.yyyx......................Q.8.........x..............y....qy.p...y.....x.....p........y....9.....y....yy..yx.......y..yyyw..p.....y.yyyyy................x.p........y.yy..........x...x............x.................wwx.....................?...................................................................................................?............(....... ..................................................................................................ww.....w..........xx..x........x....p........xy

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Graphics\warn.ico

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):10134
                                                                                                                        Entropy (8bit):4.3821301214809045
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:USAk9ODMuYKFfmiMyT4dvsZQl+g8DnPUmXtDV3EgTtc:r9wM7pyEBlcgssmXpVUgJc
                                                                                                                        MD5:B2B1D79591FCA103959806A4BF27D036
                                                                                                                        SHA1:481FD13A0B58299C41B3E705CB085C533038CAF5
                                                                                                                        SHA-256:FE4D06C318701BF0842D4B87D1BAD284C553BAF7A40987A7451338099D840A11
                                                                                                                        SHA-512:5FE232415A39E0055ABB5250B120CCDCD565AB102AA602A3083D4A4705AC6775D45E1EF0C2B787B3252232E9D4673FC3A77AAB19EC79A3FF8B13C4D7094530D2
                                                                                                                        Malicious:false
                                                                                                                        Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@................................................................................................................................................................wwwww.....wwww...................3333333333338...{....3s.....x...{....0G;.............0.;...7.........33....8.....{...33..............0....7...............8.......{....;.............0.;.............0...8...........4...............wu;.............ww;.............ww;?...........;ww;.............7w................................8.............{...................................................................................................................................................................?...?..................................................?...?.........(....... ........................................................................................................333333;...............8.........;........

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\ParameterInfo.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (381), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):115286
                                                                                                                        Entropy (8bit):3.5224883484656044
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:dfz8H5uWKoeGTQGimuuYYl8+PayLqhykz0qFg2EIl:1yIl
                                                                                                                        MD5:ADAF11855C1463B8EB94C2F7BEA6B523
                                                                                                                        SHA1:F2AC6A6144AFCE683955B4831109889AD2FB1696
                                                                                                                        SHA-256:C0C342B39F7EC3F7174DF12FDFDE8D235707243C22F92367BA6C4F134522E3D2
                                                                                                                        SHA-512:3D9C8D2D6042E97DBA0C3FB2D042562DC6CF9AD6551EA5BFFC7EB2B1FD61B643CDD94FE351297DA7FF03C95AA32DC76D5684437C0F614C959B77237ED66DFDA6
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .S.t.u.d.i.o. .T.o.o.l.s. .f.o.r. .O.f.f.i.c.e. .R.u.n.t.i.m.e. .2.0.1.0. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".1.0...0...6.0.8.2.5.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".U.s.e.r.C.o.n.t.r.o.l.l.e.d.". ./.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Setup.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):78992
                                                                                                                        Entropy (8bit):6.042115664108956
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:mXNItbBL5NWiiESy8exWZnqxMQP8ZOs0JSc:mXNAB9NWTZyVc/gBAc
                                                                                                                        MD5:DC0E68D2F5C7894259FE7B78D6336CD8
                                                                                                                        SHA1:F7E243B3B850EB3C2197127BA2CCC64847EA71E0
                                                                                                                        SHA-256:7A4AC2D2F3A3A482E1DA90B368DA1412695D3497C5C887ECE5019190BB9E1E7F
                                                                                                                        SHA-512:8733D7ED09428577DD02278DE64A7A3625B5FCE0C425CC09F73311CC16BA41ECD0CD2F1A1C42886E2F4389FE7EF6D5161174207BF290B55A5D4A59FBEE321672
                                                                                                                        Malicious:true
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.................j.}.....].v.....h.w.....\.H...v.e.|.......B.....h.~.....Y.|.....].~.....m.~.....l.~.....k.~...Rich............PE..L...Hp.W.........."......f...........+............@..........................P...........@...... ..................pu..x...Tp..<............................@...... ................................(..@............................................text....e.......f.................. ..`.data................j..............@....rsrc................v..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\SetupEngine.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):810144
                                                                                                                        Entropy (8bit):6.362812683413623
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:8S62nlYAmRAL10LDDuNkAgkF/WZxtYa8KuKlA1Mi:8S62nlYA6rU/WZxKa8QlA1Mi
                                                                                                                        MD5:1AFB14F57AE1C831F989DB780DE809B8
                                                                                                                        SHA1:7C7CEE33AA85285B98BC62F93B2E693B4D7F956C
                                                                                                                        SHA-256:828A30D690CC3F4B8C9B7ED839FA9A567DAE6379AFB868303B7432303A2C006F
                                                                                                                        SHA-512:2E094E5DC939B399D00833C57C520F9E218885C54C77121F522DAADA37E8E0F1F2BCB510440385B75783626FACE099B6C0564C6D8A16727E799B25A2D121607B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................&.....&......r.....Z.....o.....[.....b...........o.....^.....j.....k.....l....Rich...........PE..L...Np.W.........."!................I................................................0....@.........................0...........h....................B..........(......................................@............................................text............................... ..`.data..............................@....rsrc................n..............@..@.reloc...............x..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\SetupUi.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):296088
                                                                                                                        Entropy (8bit):6.270103067148403
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:KLTVUK59JNmC0iy4Ww8oBcPFIOrvHvr8QDZHAAKWiIHT6llN1BkvQZaiio2v5yV+:4GoMFrz8ygAKWiiINKqF3
                                                                                                                        MD5:64445C6086992AD499E98678173439AF
                                                                                                                        SHA1:3AA6FB34A2EC81033A4AAD88ADCBA5E4CB645651
                                                                                                                        SHA-256:53B0798B7FA98C295F6E92AB833DDEE86D0F73A819AB10A38576E402C5D3F378
                                                                                                                        SHA-512:4DFC67C93D7C1B9636805EDF7160A17709E5543F5580183D0FF7FB96CC831BA34F0CAF292CDF2E619CDDE23892A40D3D9FB3AC25F466D42C70184BD7C9425452
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..bI...I..WI...I..cI..I..ZI...I...IG..I..WI...I..fI...I..RI...I..SI...I..TI...IRich...I................PE..L...Hp.W.........."!.................................................................b....@..........................................P...............j.......`..0?..................................`z..@............................................text............................... ..`.data....Q.......4..................@....rsrc........P......................@..@.reloc...T...`...V..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\SetupUi.xsd

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):30120
                                                                                                                        Entropy (8bit):4.990211039591874
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMC:1wchT+cxcDm
                                                                                                                        MD5:2FADD9E618EFF8175F2A6E8B95C0CACC
                                                                                                                        SHA1:9AB1710A217D15B192188B19467932D947B0A4F8
                                                                                                                        SHA-256:222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
                                                                                                                        SHA-512:A3A934A8572FF9208D38CF381649BD83DE227C44B735489FD2A9DC5A636EAD9BB62459C9460EE53F61F0587A494877CD3A3C2611997BE563F3137F8236FFC4CA
                                                                                                                        Malicious:false
                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns="http://schemas.microsoft.com/SetupUI/2008/01/imui".. xmlns:imui="http://schemas.microsoft.com/SetupUI/2008/01/imui".. targetNamespace="http://schemas.microsoft.com/SetupUI/2008/01/imui".. elementFormDefault="qualified"..attributeFormDefault="unqualified"..>.... <xs:annotation>.. <xs:documentation>.. Copyright (c) Microsoft Corporation. All rights reserved... Schema for describing DevDiv "Setup UI Info".. </xs:documentation>.. </xs:annotation>.... <xs:element name="SetupUI">.. <xs:annotation>.. <xs:documentation>specifies UI dll, and lists of MSIs MSPs and EXEs</xs:documentation>.. </xs:annotation>.. <xs:complexType>.. <xs:sequence>.. <xs:choice>.. <xs:element ref="UI" minOccurs="1" maxOccurs="1"></xs:element>.. <xs:element ref="Strings" minOccurs="1" maxOccurs="1"></xs:element>..

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\SplashScreen.bmp

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PC bitmap, Windows 3.x format, 200 x 200 x 8, image size 40000, resolution 3779 x 3779 px/m, cbSize 41078, bits offset 1078
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):41078
                                                                                                                        Entropy (8bit):0.3169962482036715
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:SgrNa0EfB4elU+jB+rQXJH4+Cs77hIfVHCv4ToqIzgPc8wcKHL+3:3pa0e4YjB5vAHk4E7zgPcDc53
                                                                                                                        MD5:43B254D97B4FB6F9974AD3F935762C55
                                                                                                                        SHA1:F94D150C94064893DAED0E5BBD348998CA9D4E62
                                                                                                                        SHA-256:91A21EBA9F5E1674919EE3B36EFA99714CFB919491423D888CB56C0F25845969
                                                                                                                        SHA-512:46527C88F0AED25D89833B9BE280F5E25FFCEAE6BC0653054C8B6D8EBE34EBA58818A0A02A72BD29279310186AC26D522BBF34191FBDE279A269FC9DA5840ACC
                                                                                                                        Malicious:false
                                                                                                                        Preview:BMv.......6...(...................@.......................{7...>...h?..D...N...K..........xE..._#..q..T...X...Q...[..._...c...j....>.!....f...v...r...."..v....0....... ..........4..I.........[...}..............j.............................................................................................................i......................@>1.......................................................o...u...u...z...z...~............................................................................................................................................................................{...~.................................................................................................................yw`......................................................................................................................................................//'...........................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\Strings.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):14246
                                                                                                                        Entropy (8bit):3.70170676934679
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:384:VAZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+F:VAB
                                                                                                                        MD5:332ADF643747297B9BFA9527EAEFE084
                                                                                                                        SHA1:670F933D778ECA39938A515A39106551185205E9
                                                                                                                        SHA-256:E49545FEEAE22198728AD04236E31E02035AF7CC4D68E10CBECFFD08669CBECA
                                                                                                                        SHA-512:BEA95CE35C4C37B4B2E36CC1E81FC297CC4A8E17B93F10423A02B015DDB593064541B5EB7003560FBEEE512ED52869A113A6FB439C1133AF01F884A0DB0344B0
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". ..... . . . . . . . . .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.S.t.r.i.n.g.s.>..... . . . .<.!.-.-. .R.e.f.l.e.c.t.i.v.e. .p.r.o.p.e.r.t.y. .p.a.g.e. .-.-.>..... . . . .<.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>.#.(.l.o.c...i.d.s._.c.a.p.t.i.o.n._.f.o.r.m.a.t._.1.s.).<./.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>..... . . . .<.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>.#.(.l.o.c...i.d.s._.i.s._.r.e.a.l.l.y._.c.a.n.c.e.l.).<./.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>......... . . . .<.!.-.-. .S.y.s.t.e.m. .R.e.q.u.i.r.e.m.e.n.t.s. .p.a.g.e. .-.-.>..... . . . .<.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.P.A.C.E.>.#.(.l.o.c...s.y.s.r.e.q.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\UiInfo.xml

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36342
                                                                                                                        Entropy (8bit):3.0937266645670003
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:S4UR0d5v0SguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcOdOjT5fuPkfuS:S4UR0d5v0QYQLIN/6Fmhvk71sO0Nep3q
                                                                                                                        MD5:812F8D2E53F076366FA3A214BB4CF558
                                                                                                                        SHA1:35AE734CFB99BB139906B5F4E8EFBF950762F6F0
                                                                                                                        SHA-256:0D36A884A8381778BEA71F5F9F0FC60CACADEBD3F814679CB13414B8E7DBC283
                                                                                                                        SHA-512:1DCC3EF8C390CA49FBCD50C02ACCD8CC5700DB3594428E2129F79FEB81E4CBBEEF1B4A10628B2CD66EDF31A69ED39CA2F4E252AD8AA13D2F793FCA5B9A1EAF23
                                                                                                                        Malicious:false
                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.R.e.g.K.e.y.>..... . . . . . . . .<.R.e.g.V.a.l.u.e.N.a.m.e.>.U.I.L.a.n.g.u.a.g.e._.f.a.k.e.<./.R.e.g.V.a.l.u.e.N.a.m.e.>..... . . . . . .<./.L.C.I.D.H.i.n.t.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . .

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\VC_Red_x64\msp_kb2565063.msp

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x64 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219., Create Time/Date: Wed Jun 29 03:00:42 2011, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 4, Template: x64;0, Last Saved By: x64;0, Revision Number: {1D8E6291-B0D5-35EC-8441-6616F567A0F7}10.0.40219;{1D8E6291-B0D5-35EC-8441-6616F567A0F7}10.0.40219;{5B75F761-BAC8-33BC-A381-464DDDD813A3}, Number of Pages: 200, Number of Characters: 153223199
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4637184
                                                                                                                        Entropy (8bit):7.994962048491895
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:98304:v03YogTE/3ftYrhhHk6K3N04fREXLNaxCSVMZhQ1f:ZgGhRk6KdNfS6vuo1f
                                                                                                                        MD5:905FCC526204DDF1E6650212ABC3D848
                                                                                                                        SHA1:ADED77F45B75D796CC4795263C826C822DF5F0D9
                                                                                                                        SHA-256:4CD45CF57644D49B4C8F96E4A0EFDC46A5BA196FA4F5A10190F790CCC74BB1BF
                                                                                                                        SHA-512:9470FCD540EA542936120782AA31ABECAF5D20CADD13FF82AD346F78F95020958937BEB2BFCF5EA4DE92C978338F5A324E334229C79F8166C66A1465E191BA47
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...................G................................................................................................................................................................................................................................................................................................ ... ...!...!..."..."...#..............................................................................................................................................................$#..L#.................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\VC_Red_x64\vc_red.cab

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Microsoft Cabinet archive data, 4872031 bytes, 19 files, at 0x44 +A "F_CENTRAL_atl100_x64" +A "F_CENTRAL_mfc100_x64", flags 0x4, number 1, extra bytes 20 in head, 444 datablocks, 0x1503 compression
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4877975
                                                                                                                        Entropy (8bit):7.9998740597269355
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:98304:kQ9QwhEDvkC7OSEEA8cWnjlaVjhx05JXW0UE2pSh1b38M:k7wWDvkGRFRrjla/a5JXD2grbMM
                                                                                                                        MD5:C2B6838431748D42E247C574A191B2C2
                                                                                                                        SHA1:F01C1A083C158D9470DA3919B461938560E90874
                                                                                                                        SHA-256:387E94A26165E4E5F035D89F9C6589A8A9D223978ABBCC728B4C45C0115267A6
                                                                                                                        SHA-512:5CF95C3CBE10A75360BC4D02840E196C919BCD2FD42BA86192D25D781D00E8019217A9C8829F51A2924D8C95BD48E06728A3530E3344000CAC79C4B0E7FAFF91
                                                                                                                        Malicious:false
                                                                                                                        Preview:MSCF...._WJ.....D..........................._WJ.8...........[.......Hk........S>|. .F_CENTRAL_atl100_x64.H.U.Hk....S>|. .F_CENTRAL_mfc100_x64.P....zW...S>|. .F_CENTRAL_mfc100chs_x64.P.....X...S>|. .F_CENTRAL_mfc100cht_x64.P...0.X...S>|. .F_CENTRAL_mfc100deu_x64.P.....Y...S>|. .F_CENTRAL_mfc100enu_x64.P....gZ...S>|. .F_CENTRAL_mfc100esn_x64.P... a[...S>|. .F_CENTRAL_mfc100fra_x64.P...p\\...S>|. .F_CENTRAL_mfc100ita_x64.P....O]...S>|. .F_CENTRAL_mfc100jpn_x64.P.....]...S>|. .F_CENTRAL_mfc100kor_x64.P...`.^...S>|. .F_CENTRAL_mfc100rus_x64.PyU..._...S>|. .F_CENTRAL_mfc100u_x64.Pk........S>|. .F_CENTRAL_mfcm100_x64.Pk..Pv....S>|. .F_CENTRAL_mfcm100u_x64.PG.......S>|. .F_CENTRAL_msvcp100_x64.P....(....S>.. .F_CENTRAL_msvcr100_x64.P...@.....S>|. .F_CENTRAL_vcomp100_x64.P.........S>|. .FL_msdia71_dll_2_60035_amd64_ln.3643236F_FC70_11D3_A536_0090278A1BB8.0d,2F=..[......w...d.5..o.{{{k.V..R.UZ.1.....z..1..Q.4+!.+TZ.ym..Nwwp.;..~.5..B..kE:..9y...iu.K..d..L....{....l....3..;...c.sf.9gw.<..P|U

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\VC_Red_x64\vc_red.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x64 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219., Template: x64;0, Revision Number: {80902F2D-E1EF-43CA-B366-74496197E004}, Create Time/Date: Sun Feb 20 06:51:54 2011, Last Saved Time/Date: Sun Feb 20 06:51:54 2011, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 2, Number of Words: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):177664
                                                                                                                        Entropy (8bit):6.308605018559318
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:dOTekSoT5jr0BDKE6wIZzx3U9oTCR7XxA5SNmjWVcqelSxbfU75B79o:MT9SoT5+DzE3Ere5Yi
                                                                                                                        MD5:8F21BC0DC9E66F8E9D94197AE76698B3
                                                                                                                        SHA1:B48A08FDE80F739657B819B94602F861F3FF57A4
                                                                                                                        SHA-256:5763364634BDB2097B6DF6CDE79AC5CCE6069ACECF27254C589E3CABFFE53C2B
                                                                                                                        SHA-512:88FD8870BC0F5DBDD2CB4A6A97CF4B1AB81D7FF77C2B2A4D1F6B34A730D0347A5022ECC8CA5B2E7C5F7C2CBE0486D5046CFAFCB8167E001E1AC5E1797D03278A
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\VC_Red_x86\msp_kb2565063.msp

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Create Time/Date: Wed Jun 29 03:19:52 2011, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 4, Template: Intel;0, Last Saved By: Intel;0, Revision Number: {F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{1F4F1D2A-D9DA-32CF-9909-48485DA06DD5}, Number of Pages: 200, Number of Characters: 153223199
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4028928
                                                                                                                        Entropy (8bit):7.99425811627881
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:98304:lEpd3qZ0G3garI8w8xhB2TU01SHMMV6ZArX:KaZtC8vBy10M4
                                                                                                                        MD5:9843DC93EA948CDDC1F480E53BB80C2F
                                                                                                                        SHA1:D6EC9DB8B8802EC85DD0B793565401B67AD8E5E0
                                                                                                                        SHA-256:7C969FCDA6EF09D2EB7BBBC8D81795EB60C9C69ED835FD16538369AD0A6E0F10
                                                                                                                        SHA-512:79008CFDD8AE1EA27675588E7BA8123D08CE14047E5F167B3B5F6FBCDADEB45515BD72E18E59ABF632ECBFBB42243FBCBEBE4CBE0ED6BA195D0B2CA6D88676F9
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>...................>............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\VC_Red_x86\vc_red.cab

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Microsoft Cabinet archive data, 4218761 bytes, 19 files, at 0x44 +A "F_CENTRAL_atl100_x86" +A "F_CENTRAL_mfc100_x86", flags 0x4, number 1, extra bytes 20 in head, 357 datablocks, 0x1503 compression
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4224705
                                                                                                                        Entropy (8bit):7.999824074209114
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:
                                                                                                                        MD5:C580A38F1A1A7D838076A1B897C37011
                                                                                                                        SHA1:C689488077D1C21820797707078AF826EA676B70
                                                                                                                        SHA-256:71C0ACC75EECDF39051819DC7C26503583F6BE6C43AB2C320853DE15BECE9978
                                                                                                                        SHA-512:EA3A62BD312F1DDEEBE5E3C7911EB3A73BC3EE184ABB7E9B55BC962214F50BBF05D2499CAF151D0BD00735E2021FBEA9584BF3E868A1D4502B75EC3B62C7FF56
                                                                                                                        Malicious:false
                                                                                                                        Preview:MSCF....._@.....D............................_@.8...........Y...e...H.........S>f. .F_CENTRAL_atl100_x86.H.C.H.....S>f. .F_CENTRAL_mfc100_x86.P....4E...S>f. .F_CENTRAL_mfc100chs_x86.P.....E...S>f. .F_CENTRAL_mfc100cht_x86.P...0OF...S>f. .F_CENTRAL_mfc100deu_x86.P....JG...S>f. .F_CENTRAL_mfc100enu_x86.P....!H...S>f. .F_CENTRAL_mfc100esn_x86.P... .I...S>f. .F_CENTRAL_mfc100fra_x86.P...p.J...S>f. .F_CENTRAL_mfc100ita_x86.P.....K...S>f. .F_CENTRAL_mfc100jpn_x86.P.....K...S>f. .F_CENTRAL_mfc100kor_x86.P...`^L...S>f. .F_CENTRAL_mfc100rus_x86.P}C..KM...S>f. .F_CENTRAL_mfc100u_x86.P?.......S>f. .F_CENTRAL_mfcm100_x86.P?..P.....S>f. .F_CENTRAL_mfcm100u_x86.Pm...G....S>f. .F_CENTRAL_msvcp100_x86.P.......S>.. .F_CENTRAL_msvcr100_x86.P...@.....S>f. .F_CENTRAL_vcomp100_x86.P3...K....S>f. .FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8..^b..:..[......+.."SP$......W..de`e. .(.$.gV...2..X.A....*..y....v..a.....v......+.A.Q...k....,.<..`f..F........4.]..l.|wq..\..\../.[.=Y..nG.

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\VC_Red_x86\vc_red.msi

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Template: Intel;0, Revision Number: {461C455E-DA40-49B3-871B-14308CC7CEFF}, Create Time/Date: Sun Feb 20 07:03:10 2011, Last Saved Time/Date: Sun Feb 20 07:03:10 2011, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 2, Number of Words: 2
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):163840
                                                                                                                        Entropy (8bit):6.375644516596573
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:3FF9ACEA77AFC124BE8454269BB7143F
                                                                                                                        SHA1:8DD6ECAB8576245CD6C8617C24E019325A3B2BDC
                                                                                                                        SHA-256:9ECF3980B29C6AA20067F9F45C64B45AD310A3D83606CD9667895AD35F106E66
                                                                                                                        SHA-512:8D51F692747CFDD59FC839918A34D2B6CBBB510C90DEA83BA936B3F5F39EE4CBD48F6BB7E35ED9E0945BF724D682812532191D91C8F3C2ADB6FF80A8DF89FF7A
                                                                                                                        Malicious:false
                                                                                                                        Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\header.bmp

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PC bitmap, Windows 3.x format, 49 x 49 x 24, image size 7254, resolution 2834 x 2834 px/m, cbSize 7308, bits offset 54
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):7308
                                                                                                                        Entropy (8bit):3.7864255453272464
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:3AD1A8C3B96993BCDF45244BE2C00EEF
                                                                                                                        SHA1:308F98E199F74A43D325115A8E7072D5F2C6202D
                                                                                                                        SHA-256:133B86A4F1C67A159167489FDAEAB765BFA1050C23A7AE6D5C517188FB45F94A
                                                                                                                        SHA-512:133442C4A65269F817675ADF01ADCF622E509AA7EC7583BCA8CD9A7EB6018D2AAB56066054F75657038EFB947CD3B3E5DC4FE7F0863C8B3B1770A8FA4FE2E658
                                                                                                                        Malicious:false
                                                                                                                        Preview:BM........6...(...1...1...........V.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\sqmapi.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):144416
                                                                                                                        Entropy (8bit):6.7404750879679485
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:3F0363B40376047EFF6A9B97D633B750
                                                                                                                        SHA1:4EAF6650ECA5CE931EE771181B04263C536A948B
                                                                                                                        SHA-256:BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
                                                                                                                        SHA-512:537BE86E2F171E0B2B9F462AC7F62C4342BEB5D00B68451228F28677D26A525014758672466AD15ED1FD073BE38142DAE478DF67718908EAE9E6266359E1F9E8
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................................Rich...................PE..L....IE...........!.........$.....................l.........................@......R.....@.........................D.......$...d....................... (... ......P...8............................\..@.......t.......D............................text............................... ..`.data...............................@....rsrc...............................@..@.reloc....... ......................@..Ba.IE8....IEC....IEP....IEZ.....IEe....IEP...........msvcrt.dll.ADVAPI32.dll.ntdll.DLL.USER32.dll.KERNEL32.dll...............................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_ara.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):552656
                                                                                                                        Entropy (8bit):7.957712058604565
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:2A74E9D49C692C1E38D8568AEC7661F4
                                                                                                                        SHA1:504CDBB39E2D9756EDB4388AD343FE0DB8F8E7EF
                                                                                                                        SHA-256:FDFC5E67CCEFAB3854FF00CF3CFEFC1BD0B146FBE83014FCF497D7D54873D659
                                                                                                                        SHA-512:5E9FF38A6552B2A83A915890C90AB9E0AA10AFEA31D3D13A312BE52B748A5139FCE62E1EA52D0F1093D27A5923D7A20F27933811A3C951F99F7CFD9694A5538D
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ......<............ .......................................!...........0...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_chs.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):542416
                                                                                                                        Entropy (8bit):7.956324892792095
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:7C509A4D66CD28D0640767ADD08E7331
                                                                                                                        SHA1:964AB3DA4848A587D4A88FB88874DCA462A3E6F0
                                                                                                                        SHA-256:6F83EB5364E5C5E08BB3ED7BBB5D7E3150B32B422D159BE00EE81D8171D6F75B
                                                                                                                        SHA-512:EEFEBA02941969A34DF481FF5DB87E7DEA4AC61F2178966D608108F281A1062738BF4A95CFAE4E95C3634F82684E2046C22A7DFEE2A832E052EE963EDFE76ADA
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................".......c... ........... ...............................A........... ......................................,................>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...,........|..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_cht.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):537808
                                                                                                                        Entropy (8bit):7.956956038879224
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:91289959763F54D22B2F07B80CAE3C1F
                                                                                                                        SHA1:678E72A565CA1924B5972510D4EE6A66B7F62A88
                                                                                                                        SHA-256:F7E5AD747BC7E513DEF8C94803475E539CCB9BD11F6424BE9FFB8FA7AB840CCF
                                                                                                                        SHA-512:4B1C7CE49001EA29757799DAB67AB4299F8CBDB6781FC8E254DE7884D82D644F325B2DB08A209C64A9A93A2A07D0DF0237E4365108303B4F91B713E2BB9813F3
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................".......c... ........... ........................................... ......................................D................>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...D........j..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_dan.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):544968
                                                                                                                        Entropy (8bit):7.95501225671662
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:D921529CB37FD9EF6A645337F1E80DDB
                                                                                                                        SHA1:BF61199A20491FB6946667A14B61F658026A5149
                                                                                                                        SHA-256:85E97A4A086AD685508BB0E39395FE7FAFD90D768601DB13DD0A5AC50B4C4FFC
                                                                                                                        SHA-512:B1FB1E02DCCCB5CE017A5626EA4E88053D137A3CD148B0C26544BB0AAFDDA2FDB712B896097305A5881569CA3F288883A56D021C1CAEF96CDCAA8815A3743264
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ......$............ .......................................!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_deu.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):545992
                                                                                                                        Entropy (8bit):7.954002721782527
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:0C17BE44FAFC0C7DB685EB6BD30B776B
                                                                                                                        SHA1:66E3EE1B75CC5CE92A8BFDB01AFE7DBBDA39C736
                                                                                                                        SHA-256:BD89BED2769A353E7F15B48211E31E596DFCD6F69AA85E901F11FA739CBB7CA0
                                                                                                                        SHA-512:ACDD3D65BB8620B5F151B5188D767B0404D43E8C4BD6D0C2B2A52F8A60A65D85C56CF96965A5575C21F7D68BA544EDC3721C4B11398C7C3F47BF4F0406F66F8C
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ................... ......................................."...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_esn.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):543440
                                                                                                                        Entropy (8bit):7.95427769522981
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:CB4E1C500E25FFBFF91D0FB3BBC53E95
                                                                                                                        SHA1:CA5B8232D5D01F01422B9825A00A0B52C8A0E5AD
                                                                                                                        SHA-256:FDD5361642BD460C782670E56E192090559C26B97962168329CB369E6940A99C
                                                                                                                        SHA-512:9DEC3E45689163E04FBB3F7C60267143BAAB3F57C973F24D9AD45A61073C65F437179BB68ABB1608D1A8FFF88AC8124FCD49D04AF4D1E9A27AC356653846C17B
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ......+............ .......................................!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_fin.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):547528
                                                                                                                        Entropy (8bit):7.955068805775775
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:B1608C97F0954EA7AA7B37FD586FC362
                                                                                                                        SHA1:4E47D9AADEC853950F93578EF67E446B40451C52
                                                                                                                        SHA-256:7504D074227A2EB0414D4FC3EAC26FF93A93004542ABA1792979A2D2A33DF226
                                                                                                                        SHA-512:B6474E1E22E35FC3790232D37D52B9CA2D7A2FCBD1E9C6085B1DA95E9F287DF00D291F0E159B0A882B3A1CCD308FBC49395010D13A5997110B25C5305FAB722A
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ......C............ ......................................."...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_fra.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):541384
                                                                                                                        Entropy (8bit):7.952415718755693
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:DE117125977DB80DBA1886629AEF0E35
                                                                                                                        SHA1:E049D4468CCF06B31D35FE568EFDA3C7413CCD61
                                                                                                                        SHA-256:6D189B18D634469FCDE79CAED6B1A30E16CBBEDF7622B247E19D95D0220C973D
                                                                                                                        SHA-512:89EAFE9C21248B1502479A1CD76F679CB396EDCED82DB683EB9FC7B57AE1CE944C58ADC6E54C8C4CDE06216F5C7A08212C928115DE3133112743FC66AC58E16F
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ......9:........... ......................................."...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....".......x..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_heb.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):547528
                                                                                                                        Entropy (8bit):7.957960052771031
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:9F469DF842B33CEAF894DEFA22CB6A15
                                                                                                                        SHA1:99F11CEAFB38711DF3D140EB6EDD11D94CA6AA3D
                                                                                                                        SHA-256:7D5609254E8F0733592E9E7FD2A2F068F2AF65DA17ED4FC342771182A47AB5A3
                                                                                                                        SHA-512:A32F8C7D94EF4712F2DEEB9B5369B14922EFF8770087E027D4645C3D31BD3C06F7F8FB736D6C82B6870CC146F1899A07C625C4B095B212D0FBF8802B73157C56
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ................... .......................................!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_ita.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):543944
                                                                                                                        Entropy (8bit):7.953439583107411
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:8AE7F77A415C45D712BFF150562D6976
                                                                                                                        SHA1:E2579A7CC52CA9F0FF2E77BA762EC1FCE471EF69
                                                                                                                        SHA-256:5B06E7B690C0D0F77E0665135006C1BDDEC5B9BA0DBE88F3F20272AA8238421F
                                                                                                                        SHA-512:5BBBA734B8844554BF2CA28FB649886F15BC0D5D8CFB7CD8B6A80BB3D31CF91B3A1F611FFD1EBD88B8B1A64EB24EC2B8587112C3C105AD2B17109396CF365847
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ......$............ ......................................,"...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...,"..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_jpn.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):543440
                                                                                                                        Entropy (8bit):7.956008314189626
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:A0397A280D88C1F2FF0608C3FE2C4817
                                                                                                                        SHA1:3E4004587BE3DB0C4ACBB936D31DE0225FBD0045
                                                                                                                        SHA-256:16A3B378BC4A37CEDAE969D1AE7ADEB35F6A6042AAA64B915F1B7084F7F61A22
                                                                                                                        SHA-512:00557071461CE15F5F89B060C18C217C6B8E69AB9C77B3564C2B0329A418F3C6B58AA01A05A6499EF2AAF4BC696E2A02D5683D8C4951326012DF2DE3E09385EA
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ......8............ ......................................$ ...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...$ ..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_kor.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):535752
                                                                                                                        Entropy (8bit):7.954747666710715
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:D70C9E78AAE2F295EDF03EB310E8EAF9
                                                                                                                        SHA1:F1841C135BFB0F7E5E16EB8EF4BB7AECF72B9B22
                                                                                                                        SHA-256:59CE9D917EB89E2CBC3D4A66F0555A317E300CC53529B4DC7954B52897A9BD97
                                                                                                                        SHA-512:4969952515A25E4674692ED26D22064C76FCB94E3505B60A92D9E62FECF3571A1DE2F6FE65D01490782E278664E3D54C07543FB97FFDF863DA13DF2990ACF3DF
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................".......c... ........... ........................................... .......................................................>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc............b..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_nld.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):548552
                                                                                                                        Entropy (8bit):7.953971612012602
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:BA6BB2DCC110CF970D2D28FB3156CA19
                                                                                                                        SHA1:0411CE7833AA6BB38B106CB4D6663DDE4E723093
                                                                                                                        SHA-256:9093B6C87A93E4B90F7B252612A0F2E51E284259432EED78CA684AA10ACB597A
                                                                                                                        SHA-512:36B78B2165686E4FB9B2E30F5ED2BE9DF47A72592CCFEC3A11130AB4D1144454192D842E6E3567C4971180D06165AA2F5A4EFDBDFC146D735542DBD135AD6BA4
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ................... ......................................<"........... ...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...<"..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_nor.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):547536
                                                                                                                        Entropy (8bit):7.954321629911462
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:0AED902207AB1A31F9FF8427000826BB
                                                                                                                        SHA1:F8066CDA2953139454B2B3922C99AAA0F6D40014
                                                                                                                        SHA-256:824015825A5862A4845253D3B52E64D7A9D5C066FA383E43B96973EE9C17CE65
                                                                                                                        SHA-512:708C1BAFB9773E82EE0F322D773AAF47B423E04A5C78A276F54BDAE0BC492C7E4FB24F136FC485157308952F0E2573627240F992676D69284290A74CE801D54F
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ................... ......................................<!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...<!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_plk.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):548040
                                                                                                                        Entropy (8bit):7.954539224370836
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:893ABE235568F1F8E9B6D89691923152
                                                                                                                        SHA1:557A1E2BD06FC04CB7AE4D0C958A0B4F7D9AC7D6
                                                                                                                        SHA-256:086BDC3119E7AFBB6E18AA23A004E3CA4FB347E9F7CDE53B8D5D35FD39670A02
                                                                                                                        SHA-512:A6E8152529D0AA386C3213BE425662DC92F21CF501FE9CEB377904E5337AD74E1B654A54A5A7F35571C26509A245B69727D59192A98CBBA13B9494DB1B53275D
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... .......@........... ......................................."...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_ptb.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):548552
                                                                                                                        Entropy (8bit):7.953245146427829
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:BCF180643CC268F88B24EDBADE995309
                                                                                                                        SHA1:7F506EA7C69AFFDB52A1CA5CEF8E4AA918A86C42
                                                                                                                        SHA-256:388C83017A001AA799EC63C7D564A272CD33FBE680594045D2364E655E05A239
                                                                                                                        SHA-512:C768C0A726B01D890AE7E51F0DB222B11D08F0814FFFC8F414DCC914160388726E75869D306C44EF73A8B7908094A1132C44B6C7B90FC61D0B6CA3558790A960
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... .......Z........... ......................................,"........... ...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...,"..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_rus.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):555208
                                                                                                                        Entropy (8bit):7.958140730271209
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:691412D66A8356AF4D4DA120E8765F49
                                                                                                                        SHA1:DF4AFD221A9ECEA239D9CF669155769E7201EE9C
                                                                                                                        SHA-256:23D4D2BC0A717BA9FCBC628C13A62C43D80DF471D6D0542B8A42B9F143105729
                                                                                                                        SHA-512:E185C5BBFBD9423017BB60DE72685204D89AD740B31C9652998324973A392FA2715F67AC557E68C3D7239D812AD1EDE43F2CFD6315D4CF3B0C7CF1E2350620BD
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ................... .......................................!...........:...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x64_sve.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):544456
                                                                                                                        Entropy (8bit):7.954856341939202
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:CBB354ED8180BFB6EE1634DDED43AA53
                                                                                                                        SHA1:85F8AB37667650AF357C39D31461643F0487C2E0
                                                                                                                        SHA-256:D2D6560E7C3E86E2C82859B7323078457461D209B970A768B343AE0E563BDE8A
                                                                                                                        SHA-512:6812AC31E3546942EBEA3F8FFAA46C6773F9CFBFF88AD13950AE7EA2729946AC064228F69D4BB9AF837060CE06AF348C67D7919C0635E254B6ECA8D2389F0ADD
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... .......v........... .......................................!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_ara.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):491208
                                                                                                                        Entropy (8bit):7.9480726046159615
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:AEFCDC5FAECBB279DB3B0B83DF733C54
                                                                                                                        SHA1:A2FB4AD44BC67CAC2296B6E224BD2DD708F79A89
                                                                                                                        SHA-256:FBF2EDE54170A44C137A83E3826E4CC90387362E1DD3026A7BEBB68DF0367C61
                                                                                                                        SHA-512:4336256E99FD76E955BB6F97A78A3799B9EDE011E5A14722708B9F946E7D96A6F119EB97E1BFB3D63606176DB0258667BA2537B5473D67EA60830CB7CBF145C9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ......q............ .......................................!...........@...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_chs.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):481480
                                                                                                                        Entropy (8bit):7.945745343613268
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:2C1B85BDDC9D751372D132D797A347A2
                                                                                                                        SHA1:61220129EEAA4A3F206585C966E9BC420083EE6A
                                                                                                                        SHA-256:2C713C5E51C66E83D6BED6424A040F7FA982ED6EB1107E32C831CF850FD402CD
                                                                                                                        SHA-512:733AB1136804D92FAA664FC63F3D9EDC9B67EAA38E57B753CFCFB9187D79EFC2BEF678088B3C8455AB7DCD56C8B8D5A02E38EFFD23C67FA8872F0A631E8EBD13
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................".......c... ........... ...............................j........... ......................................,................>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...,...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_cht.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):475856
                                                                                                                        Entropy (8bit):7.946227600962261
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:67074BA8EBCDAB9FE075FD46F222321C
                                                                                                                        SHA1:5A65796275DC8A7522FD9E3A17ADA24B6B1D7822
                                                                                                                        SHA-256:9BA0D7345DD28EA7D628EF73F5144653422FC7828DD7DF0EB54713B92D89035B
                                                                                                                        SHA-512:48A27445CE4FE0764070AF5FD09D19F243B56493082B54887242341F123A735E0420DF27DEC8CB5E0637E5DFDDEC863D5E72905D3B736075C864D1EC5E4FE7C0
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................".......c... ........... ...............................Y........... ......................................D................>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...D........x..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_dan.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):483016
                                                                                                                        Entropy (8bit):7.945617825084998
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:E63D712D66814D08449B347B19EA1AA7
                                                                                                                        SHA1:455023E78AE4E8CEE0325B37D3FC5FC98A66B4D4
                                                                                                                        SHA-256:5AD0D90713BF4785121603F76BF09D85B6BFBE9CD269A07BB1198FA486D1372A
                                                                                                                        SHA-512:981379AC3425A1338C3571AF4F1E2241B6A15572A6194116F5B88E7E33A62A2AF9D6A7F3F7814C23D8826AB33D8FF8645505B62F71F29BD576C228D6B95CDFDC
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ................... .......................................!........... ...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_deu.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):485576
                                                                                                                        Entropy (8bit):7.944430110766656
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:7D6C56DF9D318E4326E95726246C282D
                                                                                                                        SHA1:81690644056301B48FCB44BA4DB55BDE53CAAD0F
                                                                                                                        SHA-256:9BD0F67A6C595E980DD1A6AFE63CF7942AC5ACFC88407621B616B29BCF9C8EA5
                                                                                                                        SHA-512:7B9E6601628CBC8AE03930BD9B3EF575735B21605237491E73D3E4744E37D3DC4D26C932FA5842DFD9F2F862596D0436E44BD42A05FE32F7B32FAFA00FB7024D
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ......I............ ......................................."...........*...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_esn.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):482512
                                                                                                                        Entropy (8bit):7.946061569797945
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:2A8C4E1C3A3247CEF40CDA839DF4FD0A
                                                                                                                        SHA1:0EF01E3EFA9F76D7421E032865DC574A5396EB9F
                                                                                                                        SHA-256:B2414568254FE0DC03825EEBB300287843920E46AB54F3DB976974AA87B7D9D9
                                                                                                                        SHA-512:35CD0340CF47566ED7397F61E8A67891CFB4A99240D32E1221C2C9D29A2417212EB0E618F01FADDA45343DAF1FF624EABFB4F435A04B24FFA450B8FB75A2D6DE
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... .................. .......................................!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_fin.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):485576
                                                                                                                        Entropy (8bit):7.94374799267307
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:6F84EC869BFD0A9A04B50ADC436FF418
                                                                                                                        SHA1:48C0A4FF5335F5797B7DB6303304D000624B3E88
                                                                                                                        SHA-256:4CA0275D46EDD0D28BA8C793CFA6E683CB31E367C9D28ADCC81C90305D8325AF
                                                                                                                        SHA-512:72EC9850F839E8B1368DB51B1E563421B3B02B3CCA8FDC7C8A444A319ED435770EE1D86F37DD0148C6267AE62A2C503158221DC9BB0DA2FEFD50619BC351E273
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... .......D........... ......................................."...........*...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_fra.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):481992
                                                                                                                        Entropy (8bit):7.94125870267983
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:880807C087D6CB9002BEBBD19DFBEE0B
                                                                                                                        SHA1:36750BAE95429AC48EE5E46B2EEDB27C5551D90B
                                                                                                                        SHA-256:B1A0EC74E264DFC49C0D3E8D9EEDD10F840156B78C0538989A22BF1DA74B9A61
                                                                                                                        SHA-512:F0493D78F4410BC1ECFB8B24E63A941DF4875C036508343A1A61B9AB0E941D44F941418B8D244102A206AC00F5ED4335DC551C6F1F976CDFDDC25BB7106DF089
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... .......N........... ......................................."...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_heb.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):487112
                                                                                                                        Entropy (8bit):7.9491582760888555
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:E729833409ADA3718EACC83147FD0D09
                                                                                                                        SHA1:DC4AF587C656F1F7D0C3AB77BE6B3B999FD541D7
                                                                                                                        SHA-256:546624660A4932227A57091E855E57C6ED9320357BDA99BECD43AA7F8407E334
                                                                                                                        SHA-512:743F87AB621AE38A6315829D8937EC4C51DD6E51D246B4EDA58F43EBD6EDD3153B674E45797A0C35FD8C351FEB0F66C709A74E6D62DD75273781DFEF623578A8
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ................... .......................................!...........0...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_ita.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):483016
                                                                                                                        Entropy (8bit):7.94464882649723
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:1920EE36B0A4E4A0DB13FB0373121ABD
                                                                                                                        SHA1:5E35CB15B877411F0ACA299653BFBE45B3C285CB
                                                                                                                        SHA-256:A03770728A38628C15BB64C635AEFAF66646E0A44D4398A0B1E6EB3D4FACA92F
                                                                                                                        SHA-512:9304B858FC0C82623CA26C28B4EADB07A0F81A2E0F6B31DA02A6BF873A2904240D2DCF48E5AF2F6A0520DFA81DF77CB85DBD2A6BB42BDB188339264C5DB14F41
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... .......O........... ......................................,"........... ...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...,"..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_jpn.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):485576
                                                                                                                        Entropy (8bit):7.946284501132917
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:8CEE83AD7195D9C01CFA5F0AC54131A6
                                                                                                                        SHA1:AEF2336000A15C8DA681F5D3EB8C1D7BBA15E693
                                                                                                                        SHA-256:C2BAA74B413F7134E1781EA9358AF3C24B11E5F349460BBE8F3272761ED10FFB
                                                                                                                        SHA-512:54C3A87DDE98FC4184F40B9929EF123FAB04520A5FBD7B49030FA00A9D7A61EA51E6B2957245AB5A95758A394D298B23DDBDD073F56082945C398BB3723A43EE
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... ................... ......................................$ ...........*...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...$ ..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_kor.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):477384
                                                                                                                        Entropy (8bit):7.9463516123943565
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:FF79A2F6BBFCD5FC15C31F87293C2FE6
                                                                                                                        SHA1:1A3D40675F699C14D475EC35F555E1F4218CD73D
                                                                                                                        SHA-256:320EC8DA239F9AE4F42346B1987C5D9FA87D0A79AF3ED1F17BDE2E00969BD805
                                                                                                                        SHA-512:D7379EA1D53840F2C291C3DDDA7060F187F14384EC16963003637BE3F5968033739FE8E004F04B03199B5DC8899E8719660204BABC5A0E938D4CEF081AE745E9
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................".......c... ........... ...............................-........... .......................................................>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc............~..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_nld.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):486600
                                                                                                                        Entropy (8bit):7.943996013436308
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:DB12D209624B39A2C277D69966950B82
                                                                                                                        SHA1:2CBCC5995E2E942523C7A58B69C26AB8F6ACABB7
                                                                                                                        SHA-256:92A8EF829EDF4A43505F69E79019AB9CA24644A49B9859D9885676AA438F55EA
                                                                                                                        SHA-512:A335D1A3CCAA120387AF1A619817935C7C147C41E089530D05C5DC9BE4E02A5233BC7EA81102850BF865F7CACB6726FE7574E4AAB245746F065F03559A29039A
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ......d[........... ......................................<"...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...<"..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_nor.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):487624
                                                                                                                        Entropy (8bit):7.944466657377822
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:0C16B7CC28691FF835F075B765326CDA
                                                                                                                        SHA1:2ACEF43E1E15ED0B7A558ED582DE5498641356F1
                                                                                                                        SHA-256:BA62238DD5C4868E96472C33D1CEB10F500EA29BBF49CC370A4A1A1AFA44A345
                                                                                                                        SHA-512:C79B3F767EE90B3A028AE0B30F015BA53BBB348399AF215054A3D8D731BB7E5B7535008C22FA22C603F29D4AF47A6AA1365D28841234A40FA7F9135ACA0C5743
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... .......;........... ......................................<!...........2...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...<!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_plk.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):485584
                                                                                                                        Entropy (8bit):7.9442158938209735
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:A3BE4F173E9E87AFF860FA84A97FB594
                                                                                                                        SHA1:FAF06F5575AAA6AAA5C2A8771A8EC33DCA506FFC
                                                                                                                        SHA-256:68C095F6CF10E89E26FC45F6251931A8A2E5AA45016DDCD1F8C99EDEA195DFB7
                                                                                                                        SHA-512:16583E851CED0F5B460E90CC749CD4EDD48A3C9072B6A596DC6DA073A51E663DA99513E8900003CE03D2029F925C6F4F6239EB065A45CE9E3A389D97459DBDC7
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... .......W........... ......................................."...........*...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...."..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_ptb.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):487112
                                                                                                                        Entropy (8bit):7.944279006920532
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:827FE9E1189D995FBFE524B71A0F0513
                                                                                                                        SHA1:9494D5EFCD52CB1121DD74157529A24279032051
                                                                                                                        SHA-256:37FAC212CAE54B5800F5C52D016CD83D7F400C4401D3557C5F214DC7C16ECF9A
                                                                                                                        SHA-512:44579D73F35FEF8362D014822B0439882C7EA90C79C72EFF14D4BAAA4EC55D4DAA55B01F110EBBCCE3E22031381B1AAF1C098A082C61CEC28B76EB179EC42EA6
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................&.......c... ........... ....................... ......Z............ ......................................,"...........0...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...,"..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_rus.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):492744
                                                                                                                        Entropy (8bit):7.9465527932963305
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:8A0357DD262EACA614B7702BB540BF3C
                                                                                                                        SHA1:561BB3FA4AEB24E8B5313F65F36161DE3C5DCA67
                                                                                                                        SHA-256:4D850FF4C2A67C7B012E7390AA5B569DDA76E58C3A5496C68D5D2502C3F85A0E
                                                                                                                        SHA-512:2F0DECCA4B5F2E0CAC84D8BB8A4A9047FB8D936975D2ECAA9A498A99902662D8CD7B50552976CEC70AA6EE4915CA9CEE0B0DF030A02C373CDDF64131BE1D1D98
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... .......<........... .......................................!...........F...>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_LP_x86_sve.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):482504
                                                                                                                        Entropy (8bit):7.943934222430446
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:D2491F372D0206755CAEC6C8B94F9E7A
                                                                                                                        SHA1:01DB070FD731D26BD318A9B7CEBDEA24017A4F9F
                                                                                                                        SHA-256:05B114B2D95F0B25399DDEBFEE49B6E0A26A78B8631A7E3D8BA2145450D89A21
                                                                                                                        SHA-512:4C06304A0F871528B85B882F156C438F8B6B8DAF8F6E1F9129724A8E48EF1B5FB5600C7B28875623D28CABF7014E3BA372781F4D0FB0148FD2AFD39F40AF3E6A
                                                                                                                        Malicious:false
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.....................$.......c... ........... ....................... .......@........... .......................................!...............>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc....!..........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):2722992
                                                                                                                        Entropy (8bit):7.997254745166301
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:
                                                                                                                        MD5:299A451E3DA67D8E661AE2F22F1ABC5B
                                                                                                                        SHA1:B88B1D7C7E4FB23AB02425D5A98A2FACAA20BEA5
                                                                                                                        SHA-256:5794BA20826200174BA3B38FDCEAD8E82E9B094798F99BD2F524E55B16DEA2B2
                                                                                                                        SHA-512:D567860B0815F1583AEF24D4BC79FD37D9DF227B5414F5FB4C6EC641FD8FAFF9567F87471DE4F3620CFDA9B8A806BC88D25235F1F8CA91BF1E392472DD2F91E3
                                                                                                                        Malicious:true
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ..............................2.*.......... ...................................................N)..>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............(.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x86.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):2430128
                                                                                                                        Entropy (8bit):7.996503929638374
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:
                                                                                                                        MD5:B354420B866F670FE69EC8C7611CAB23
                                                                                                                        SHA1:B2F2AC0869232CCA28FED253330CC630DC08159F
                                                                                                                        SHA-256:4BCE19AA9CE251A5F208BE8AE5FF11E92D0E0878F1CF4ADD25E367E5D89810A7
                                                                                                                        SHA-512:A93B666C5F1A306B7FD10309F683A4C6497503E65772B273A9C97D59FC53FD5A4C6F5E86F7B5C998D90977F242FE97ED2E9765B8AB89921496474AAA33E0C54C
                                                                                                                        Malicious:true
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ..............................K.%.......... ....................................................$..>.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc............J$.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\e4b15374fbeb09b00c2ff6ea22\watermark.bmp

                                                                                                                        Download File
                                                                                                                        Process:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        File Type:PC bitmap, Windows 3.x format, 164 x 628 x 24, image size 308978, resolution 2834 x 2834 px/m, cbSize 309032, bits offset 54
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):309032
                                                                                                                        Entropy (8bit):6.583379857106919
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:
                                                                                                                        MD5:1A5CAAFACFC8C7766E404D019249CF67
                                                                                                                        SHA1:35D4878DB63059A0F25899F4BE00B41F430389BF
                                                                                                                        SHA-256:2E87D5742413254DB10F7BD0762B6CDB98FF9C46CA9ACDDFD9B1C2E5418638F2
                                                                                                                        SHA-512:202C13DED002D234117F08B18CA80D603246E6A166E18BA422E30D394ADA7E47153DD3CCE9728AFFE97128FDD797FE6302C74DC6882317E2BA254C8A6DB80F46
                                                                                                                        Malicious:false
                                                                                                                        Preview:BM(.......6...(.......t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Entropy (8bit):7.291079287926429
                                                                                                                        TrID:
                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                        File name:SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        File size:687'576 bytes
                                                                                                                        MD5:c09651c0422f8bb452b82232a454eee8
                                                                                                                        SHA1:b7ec43f40cb6f8895de76d658fc4e8b2ecbb3038
                                                                                                                        SHA256:dc5f345565aa2cc4dd0b446d96204cb9f7135757795370fd581ab4a9458d8b1d
                                                                                                                        SHA512:be99051535c843e67d03e54836331b776d3545d785c5b1085188994d64492df6b1b392d0957f0aa85bc4c89af3333cbdbea3cb20ff2431e21d2fd192d6a45ce7
                                                                                                                        SSDEEP:12288:dAjuakTOfDlEU4HWDblFlOTPThN7INKwaNUgMI7QnA5Q:Gu/OfDlEUKWflmTP372KnMLAq
                                                                                                                        TLSH:AFE48E3291614032EBF106B7BD2895307D7CA738176088AEE3D8ED1D6EB949167F7253
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@.......@......y@.......@..."|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@.

                                                                                                                        File Icon

                                                                                                                        Icon Hash:0000004545656505

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x42e2a6
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:true
                                                                                                                        Imagebase:0x400000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                        Time Stamp:0x5A10AD86 [Sat Nov 18 22:00:38 2017 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:5
                                                                                                                        OS Version Minor:1
                                                                                                                        File Version Major:5
                                                                                                                        File Version Minor:1
                                                                                                                        Subsystem Version Major:5
                                                                                                                        Subsystem Version Minor:1
                                                                                                                        Import Hash:d7e2fd259780271687ffca462b9e69b7

                                                                                                                        Authenticode Signature

                                                                                                                        Signature Valid:true
                                                                                                                        Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                        Signature Validation Error:The operation completed successfully
                                                                                                                        Error Number:0
                                                                                                                        Not Before, Not After
                                                                                                                        • 11/05/2023 01:00:00 11/05/2026 00:59:59
                                                                                                                        Subject Chain
                                                                                                                        • CN=S&P Global Inc., O=S&P Global Inc., L=New York, S=New York, C=US
                                                                                                                        Version:3
                                                                                                                        Thumbprint MD5:0C6B22DCE8EB32EE242D860332EC005B
                                                                                                                        Thumbprint SHA-1:7159D352BD0EFA7DD2A9857EA36540293BF4F843
                                                                                                                        Thumbprint SHA-256:7EA9DE13CA32106F8813C75997AF47AF605994842B7AE7A330979898D0822A48
                                                                                                                        Serial:0CF98F2ED7DB7252FA0854E50CE9A875

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        call 00007F64DD3BDA7Fh
                                                                                                                        jmp 00007F64DD3BD3F3h
                                                                                                                        mov eax, dword ptr [esp+08h]
                                                                                                                        mov ecx, dword ptr [esp+10h]
                                                                                                                        or ecx, eax
                                                                                                                        mov ecx, dword ptr [esp+0Ch]
                                                                                                                        jne 00007F64DD3BD56Bh
                                                                                                                        mov eax, dword ptr [esp+04h]
                                                                                                                        mul ecx
                                                                                                                        retn 0010h
                                                                                                                        push ebx
                                                                                                                        mul ecx
                                                                                                                        mov ebx, eax
                                                                                                                        mov eax, dword ptr [esp+08h]
                                                                                                                        mul dword ptr [esp+14h]
                                                                                                                        add ebx, eax
                                                                                                                        mov eax, dword ptr [esp+08h]
                                                                                                                        mul ecx
                                                                                                                        add edx, ebx
                                                                                                                        pop ebx
                                                                                                                        retn 0010h
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        cmp cl, 00000040h
                                                                                                                        jnc 00007F64DD3BD577h
                                                                                                                        cmp cl, 00000020h
                                                                                                                        jnc 00007F64DD3BD568h
                                                                                                                        shrd eax, edx, cl
                                                                                                                        shr edx, cl
                                                                                                                        ret
                                                                                                                        mov eax, edx
                                                                                                                        xor edx, edx
                                                                                                                        and cl, 0000001Fh
                                                                                                                        shr eax, cl
                                                                                                                        ret
                                                                                                                        xor eax, eax
                                                                                                                        xor edx, edx
                                                                                                                        ret
                                                                                                                        push ebp
                                                                                                                        mov ebp, esp
                                                                                                                        jmp 00007F64DD3BD56Fh
                                                                                                                        push dword ptr [ebp+08h]
                                                                                                                        call 00007F64DD3C3DECh
                                                                                                                        pop ecx
                                                                                                                        test eax, eax
                                                                                                                        je 00007F64DD3BD571h
                                                                                                                        push dword ptr [ebp+08h]
                                                                                                                        call 00007F64DD3C3E75h
                                                                                                                        pop ecx
                                                                                                                        test eax, eax
                                                                                                                        je 00007F64DD3BD548h
                                                                                                                        pop ebp
                                                                                                                        ret
                                                                                                                        cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                                                        je 00007F64DD3BDE04h
                                                                                                                        jmp 00007F64DD3BDDE1h
                                                                                                                        push ebp
                                                                                                                        mov ebp, esp
                                                                                                                        push dword ptr [ebp+08h]
                                                                                                                        call 00007F64DD3BDE1Dh
                                                                                                                        pop ecx
                                                                                                                        pop ebp
                                                                                                                        ret
                                                                                                                        push ebp
                                                                                                                        mov ebp, esp
                                                                                                                        test byte ptr [ebp+08h], 00000001h
                                                                                                                        push esi
                                                                                                                        mov esi, ecx
                                                                                                                        mov dword ptr [esi], 00460DB8h
                                                                                                                        je 00007F64DD3BD56Ch
                                                                                                                        push 0000000Ch
                                                                                                                        push esi
                                                                                                                        call 00007F64DD3BD53Dh
                                                                                                                        pop ecx
                                                                                                                        pop ecx
                                                                                                                        mov eax, esi
                                                                                                                        pop esi
                                                                                                                        pop ebp

                                                                                                                        Rich Headers

                                                                                                                        Programming Language:
                                                                                                                        • [ C ] VS2008 SP1 build 30729
                                                                                                                        • [IMP] VS2008 SP1 build 30729

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x686b40xb4.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6d0000x4794.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0xa54b80x2920
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000x3dfc.reloc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x676500x54.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x676a40x18.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x670300x40.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x4b0000x3e0.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x682340x100.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x10000x499370x49a002319c0baa707bb66cc0bc08c55a13d8cFalse0.5314688561120543data6.570006046413636IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                        .rdata0x4b0000x1ed600x1ee008ad6c4e18165c6d8ccdc97bab683438dFalse0.3136386639676113data5.114228301263695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .data0x6a0000x17300xa0000fde973df27dc2d36084e16d6dddbdfFalse0.274609375firmware 2005 v9319 (revision 0) N\346@\273\261\031\277D V2, 0 bytes or less, UNKNOWN2 0xffffffff, at 0 0 bytes , at 0 0 bytes , at 0x20a146003.1526594027632213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                        .wixburn0x6c0000x380x2009c5ba571e37fdd1ebeddf1218a3bf252False0.095703125data0.5166818813429501IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .rsrc0x6d0000x47940x480025c476419558d7960631e41f6b5d8d3fFalse0.2422417534722222data5.344376414136709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .reloc0x720000x3dfc0x3e00dd2c47fa48872886af4c9a2e5bd90cccFalse0.8097278225806451data6.794335469567533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                        Resources

                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                        RT_ICON0x6d1a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 2048EnglishUnited States0.11613475177304965
                                                                                                                        RT_ICON0x6d6100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 8192EnglishUnited States0.05628517823639775
                                                                                                                        RT_MESSAGETABLE0x6e6b80x2840dataEnglishUnited States0.28823757763975155
                                                                                                                        RT_GROUP_ICON0x70ef80x22dataEnglishUnited States1.0
                                                                                                                        RT_VERSION0x70f1c0x3a4dataEnglishUnited States0.4334763948497854
                                                                                                                        RT_MANIFEST0x712c00x4d2XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1174), with CRLF line terminatorsEnglishUnited States0.47568881685575365

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        ADVAPI32.dllRegCloseKey, RegOpenKeyExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, InitiateSystemShutdownExW, GetUserNameW, RegQueryValueExW, RegDeleteValueW, CloseEventLog, OpenEventLogW, ReportEventW, ConvertStringSecurityDescriptorToSecurityDescriptorW, DecryptFileW, CreateWellKnownSid, InitializeAcl, SetEntriesInAclW, ChangeServiceConfigW, CloseServiceHandle, ControlService, OpenSCManagerW, OpenServiceW, QueryServiceStatus, SetNamedSecurityInfoW, CheckTokenMembership, AllocateAndInitializeSid, SetEntriesInAclA, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, QueryServiceConfigW
                                                                                                                        USER32.dllPeekMessageW, PostMessageW, IsWindow, WaitForInputIdle, PostQuitMessage, GetMessageW, TranslateMessage, MsgWaitForMultipleObjects, PostThreadMessageW, GetMonitorInfoW, MonitorFromPoint, IsDialogMessageW, LoadCursorW, LoadBitmapW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, CreateWindowExW, UnregisterClassW, RegisterClassW, DefWindowProcW, DispatchMessageW
                                                                                                                        OLEAUT32.dllVariantInit, SysAllocString, VariantClear, SysFreeString
                                                                                                                        GDI32.dllDeleteDC, DeleteObject, SelectObject, StretchBlt, GetObjectW, CreateCompatibleDC
                                                                                                                        SHELL32.dllCommandLineToArgvW, SHGetFolderPathW, ShellExecuteExW
                                                                                                                        ole32.dllCoUninitialize, CoInitializeEx, CoInitialize, StringFromGUID2, CoCreateInstance, CoTaskMemFree, CLSIDFromProgID, CoInitializeSecurity
                                                                                                                        KERNEL32.dllGetCommandLineA, GetCPInfo, GetOEMCP, CloseHandle, CreateFileW, GetProcAddress, LocalFree, HeapSetInformation, GetLastError, GetModuleHandleW, FormatMessageW, lstrlenA, lstrlenW, MultiByteToWideChar, WideCharToMultiByte, LCMapStringW, Sleep, GetLocalTime, GetModuleFileNameW, ExpandEnvironmentStringsW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, GetFullPathNameW, CompareStringW, GetCurrentProcessId, WriteFile, SetFilePointer, LoadLibraryW, GetSystemDirectoryW, CreateFileA, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, FindClose, GetCommandLineW, GetCurrentDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, FindFirstFileW, FindNextFileW, MoveFileExW, GetCurrentProcess, GetCurrentThreadId, InitializeCriticalSection, DeleteCriticalSection, ReleaseMutex, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CreateProcessW, GetVersionExW, VerSetConditionMask, FreeLibrary, EnterCriticalSection, LeaveCriticalSection, GetSystemTime, GetNativeSystemInfo, GetModuleHandleExW, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetEnvironmentStringsW, VerifyVersionInfoW, GetVolumePathNameW, GetDateFormatW, GetUserDefaultUILanguage, GetSystemDefaultLangID, GetUserDefaultLangID, GetStringTypeW, ReadFile, SetFilePointerEx, DuplicateHandle, InterlockedExchange, InterlockedCompareExchange, LoadLibraryExW, CreateEventW, ProcessIdToSessionId, OpenProcess, GetProcessId, WaitForSingleObject, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, CreateThread, GetExitCodeThread, SetEvent, WaitForMultipleObjects, InterlockedIncrement, InterlockedDecrement, ResetEvent, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, CompareStringA, GetExitCodeProcess, SetThreadExecutionState, CopyFileExW, MapViewOfFile, UnmapViewOfFile, CreateMutexW, CreateFileMappingW, GetThreadLocale, IsValidCodePage, FindFirstFileExW, FreeEnvironmentStringsW, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DecodePointer, WriteConsoleW, GetModuleHandleA, GlobalAlloc, GlobalFree, GetFileSizeEx, CopyFileW, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, SystemTimeToFileTime, GetSystemInfo, VirtualProtect, VirtualQuery, GetComputerNameW, SetCurrentDirectoryW, GetFileType, GetACP, ExitProcess, GetStdHandle, InitializeCriticalSectionAndSpinCount, SetLastError, RtlUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RaiseException, LoadLibraryExA
                                                                                                                        RPCRT4.dllUuidCreate

                                                                                                                        Possible Origin

                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                        EnglishUnited States

                                                                                                                        Network Behavior

                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                        Statistics

                                                                                                                        CPU Usage

                                                                                                                        Click to jump to process

                                                                                                                        Memory Usage

                                                                                                                        Click to jump to process

                                                                                                                        High Level Behavior Distribution

                                                                                                                        Click to dive into process behavior distribution

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        General

                                                                                                                        Target ID:0
                                                                                                                        Start time:02:52:09
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exe"
                                                                                                                        Imagebase:0x10000
                                                                                                                        File size:687'576 bytes
                                                                                                                        MD5 hash:C09651C0422F8BB452B82232A454EEE8
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:1
                                                                                                                        Start time:02:52:09
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Windows\Temp\{73829BDB-07F0-4DD2-B2DF-FEE38C08D320}\.cr\SPCapIQProOffice-1.0.24095.1.exe" -burn.clean.room="C:\Users\user\Desktop\SPCapIQProOffice-1.0.24095.1.exe" -burn.filehandle.attached=532 -burn.filehandle.self=528
                                                                                                                        Imagebase:0x940000
                                                                                                                        File size:687'576 bytes
                                                                                                                        MD5 hash:C09651C0422F8BB452B82232A454EEE8
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:2
                                                                                                                        Start time:02:52:14
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Windows\Temp\{2575F37D-4D59-4ADE-9B35-833ABC76F3A4}\.be\SPCapIQProOffice-1.0.24095.1.exe" -q -burn.elevated BurnPipe.{22255B69-8FB0-4B58-9A37-96EAAA229CC0} {B6A53FD5-A31E-4AF8-BB77-CA62C452506E} 7336
                                                                                                                        Imagebase:0x650000
                                                                                                                        File size:687'576 bytes
                                                                                                                        MD5 hash:C09651C0422F8BB452B82232A454EEE8
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:7
                                                                                                                        Start time:02:52:28
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\SrTasks.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
                                                                                                                        Imagebase:0x7ff7bec30000
                                                                                                                        File size:59'392 bytes
                                                                                                                        MD5 hash:2694D2D28C368B921686FE567BD319EB
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:moderate
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:8
                                                                                                                        Start time:02:52:28
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:11
                                                                                                                        Start time:02:52:39
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" /burn.runonce
                                                                                                                        Imagebase:0x160000
                                                                                                                        File size:687'576 bytes
                                                                                                                        MD5 hash:C09651C0422F8BB452B82232A454EEE8
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:12
                                                                                                                        Start time:02:52:39
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" /burn.log.append "C:\Users\user\AppData\Local\Temp\S&P_Capital_IQ_Pro_Office_20240419025210.log"
                                                                                                                        Imagebase:0x160000
                                                                                                                        File size:687'576 bytes
                                                                                                                        MD5 hash:C09651C0422F8BB452B82232A454EEE8
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:13
                                                                                                                        Start time:02:52:39
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" -burn.clean.room="C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /burn.log.append "C:\Users\user\AppData\Local\Temp\S&P_Capital_IQ_Pro_Office_20240419025210.log"
                                                                                                                        Imagebase:0x160000
                                                                                                                        File size:687'576 bytes
                                                                                                                        MD5 hash:C09651C0422F8BB452B82232A454EEE8
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:16
                                                                                                                        Start time:02:52:49
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\ProgramData\Package Cache\{56aa9754-57aa-4a26-a164-12075d94eb2e}\SPCapIQProOffice-1.0.24095.1.exe" -q -burn.elevated BurnPipe.{F8907890-6A84-4345-B5A9-D02185C4BBD7} {C0D578AC-8A16-4B2B-B0EB-8A9283D46FE9} 7396
                                                                                                                        Imagebase:0x160000
                                                                                                                        File size:687'576 bytes
                                                                                                                        MD5 hash:C09651C0422F8BB452B82232A454EEE8
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:18
                                                                                                                        Start time:02:52:54
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe" /i /q /norestart
                                                                                                                        Imagebase:0x1000000
                                                                                                                        File size:40'293'040 bytes
                                                                                                                        MD5 hash:72F6A267DE1FA813073DED67D952FD40
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:20
                                                                                                                        Start time:02:53:04
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\SrTasks.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                                                                                                                        Imagebase:0x7ff7bec30000
                                                                                                                        File size:59'392 bytes
                                                                                                                        MD5 hash:2694D2D28C368B921686FE567BD319EB
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:moderate
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:21
                                                                                                                        Start time:02:53:04
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:22
                                                                                                                        Start time:02:53:05
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\e4b15374fbeb09b00c2ff6ea22\Setup.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:c:\e4b15374fbeb09b00c2ff6ea22\Setup.exe /i /q /norestart
                                                                                                                        Imagebase:0x850000
                                                                                                                        File size:78'992 bytes
                                                                                                                        MD5 hash:DC0E68D2F5C7894259FE7B78D6336CD8
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:23
                                                                                                                        Start time:02:53:14
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                        Imagebase:0x7ff7750c0000
                                                                                                                        File size:69'632 bytes
                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:24
                                                                                                                        Start time:02:53:26
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\e4b15374fbeb09b00c2ff6ea22\vstor40\vstor40_x64.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:vstor40_x64.exe /q
                                                                                                                        Imagebase:0x1000000
                                                                                                                        File size:2'722'992 bytes
                                                                                                                        MD5 hash:299A451E3DA67D8E661AE2F22F1ABC5B
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:25
                                                                                                                        Start time:02:53:27
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\ProgramData\Package Cache\56704865939C2388913D05724632D7B3B67D3CD9\vstor_redist.exe" /i /q /norestart
                                                                                                                        Imagebase:0x1000000
                                                                                                                        File size:40'293'040 bytes
                                                                                                                        MD5 hash:72F6A267DE1FA813073DED67D952FD40
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:26
                                                                                                                        Start time:02:53:27
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\9e8b505ac5bf67d26cfba004c7a3fd\install.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:c:\9e8b505ac5bf67d26cfba004c7a3fd\install.exe /q
                                                                                                                        Imagebase:0x7ff7aec20000
                                                                                                                        File size:792'728 bytes
                                                                                                                        MD5 hash:D2AC2D95581DB0D6B52757C2ED839E85
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:27
                                                                                                                        Start time:02:53:30
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:c:\Windows\syswow64\MsiExec.exe -Embedding 50D0C51C5F29CB2F939D1D66AF46B8FD
                                                                                                                        Imagebase:0xde0000
                                                                                                                        File size:59'904 bytes
                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:28
                                                                                                                        Start time:02:53:31
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:c:\Windows\System32\MsiExec.exe -Embedding 392B92B2C8922C55BB291E3DD13F1718
                                                                                                                        Imagebase:0x7ff7750c0000
                                                                                                                        File size:69'632 bytes
                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:29
                                                                                                                        Start time:02:53:33
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\5dbc7bbf14917454e3442522d4a6\Setup.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:c:\5dbc7bbf14917454e3442522d4a6\Setup.exe /i /q /norestart
                                                                                                                        Imagebase:0x70000
                                                                                                                        File size:78'992 bytes
                                                                                                                        MD5 hash:DC0E68D2F5C7894259FE7B78D6336CD8
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:31
                                                                                                                        Start time:02:53:37
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:c:\Windows\syswow64\MsiExec.exe -Embedding 8B188487738B9071562D9EF7776E0846 M Global\MSI0000
                                                                                                                        Imagebase:0xde0000
                                                                                                                        File size:59'904 bytes
                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:32
                                                                                                                        Start time:02:53:38
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:c:\Windows\System32\MsiExec.exe -Embedding 65B24CE328994E1BC77923B19C5082F3 E Global\MSI0000
                                                                                                                        Imagebase:0x7ff7750c0000
                                                                                                                        File size:69'632 bytes
                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:33
                                                                                                                        Start time:02:53:38
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:c:\Windows\syswow64\MsiExec.exe -Embedding 417DB550FCDE732E3591759ED0C0D26B E Global\MSI0000
                                                                                                                        Imagebase:0xde0000
                                                                                                                        File size:59'904 bytes
                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:34
                                                                                                                        Start time:02:53:38
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
                                                                                                                        Imagebase:0xab0000
                                                                                                                        File size:144'344 bytes
                                                                                                                        MD5 hash:417D6EA61C097F8DF6FEF2A57F9692DF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:35
                                                                                                                        Start time:02:53:38
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:36
                                                                                                                        Start time:02:53:39
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
                                                                                                                        Imagebase:0x7ff7f1a60000
                                                                                                                        File size:174'552 bytes
                                                                                                                        MD5 hash:B6C3FE33B436E5006514403824F17C66
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:37
                                                                                                                        Start time:02:53:39
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:38
                                                                                                                        Start time:02:53:39
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
                                                                                                                        Imagebase:0xab0000
                                                                                                                        File size:144'344 bytes
                                                                                                                        MD5 hash:417D6EA61C097F8DF6FEF2A57F9692DF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:39
                                                                                                                        Start time:02:53:39
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:40
                                                                                                                        Start time:02:53:40
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
                                                                                                                        Imagebase:0x7ff7f1a60000
                                                                                                                        File size:174'552 bytes
                                                                                                                        MD5 hash:B6C3FE33B436E5006514403824F17C66
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:41
                                                                                                                        Start time:02:53:40
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:42
                                                                                                                        Start time:02:53:40
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
                                                                                                                        Imagebase:0xab0000
                                                                                                                        File size:144'344 bytes
                                                                                                                        MD5 hash:417D6EA61C097F8DF6FEF2A57F9692DF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:43
                                                                                                                        Start time:02:53:40
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:44
                                                                                                                        Start time:02:53:40
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
                                                                                                                        Imagebase:0x7ff7f1a60000
                                                                                                                        File size:174'552 bytes
                                                                                                                        MD5 hash:B6C3FE33B436E5006514403824F17C66
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:45
                                                                                                                        Start time:02:53:40
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:46
                                                                                                                        Start time:02:53:41
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
                                                                                                                        Imagebase:0xab0000
                                                                                                                        File size:144'344 bytes
                                                                                                                        MD5 hash:417D6EA61C097F8DF6FEF2A57F9692DF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:47
                                                                                                                        Start time:02:53:41
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:48
                                                                                                                        Start time:02:53:41
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
                                                                                                                        Imagebase:0x7ff7f1a60000
                                                                                                                        File size:174'552 bytes
                                                                                                                        MD5 hash:B6C3FE33B436E5006514403824F17C66
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:49
                                                                                                                        Start time:02:53:41
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:50
                                                                                                                        Start time:02:53:42
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" /queue:3 /NoDependencies
                                                                                                                        Imagebase:0xab0000
                                                                                                                        File size:144'344 bytes
                                                                                                                        MD5 hash:417D6EA61C097F8DF6FEF2A57F9692DF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:51
                                                                                                                        Start time:02:53:42
                                                                                                                        Start date:19/04/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Has exited:true

                                                                                                                        Disassembly

                                                                                                                        Reset < >

                                                                                                                          Executed Functions

                                                                                                                          Function 00015195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 619 15195-15243 call 3f8e0 * 2 GetModuleHandleW call 504f8 call 506ae call 1120a 630 15245 619->630 631 15259-1526a call 142d7 619->631 632 1524a-15254 call 50237 630->632 636 15273-1528f call 15618 CoInitializeEx 631->636 637 1526c-15271 631->637 640 154d4-154db 632->640 647 15291-15296 636->647 648 15298-152a4 call 4fcae 636->648 637->632 642 154e8-154ea 640->642 643 154dd-154e3 call 55636 640->643 645 154fa-15518 call 1d82f call 2a8d6 call 2ab24 642->645 646 154ec-154f3 642->646 643->642 669 15546-15559 call 14fa4 645->669 670 1551a-15522 645->670 646->645 649 154f5 call 241ec 646->649 647->632 656 152a6 648->656 657 152b8-152c7 call 50e07 648->657 649->645 659 152ab-152b3 call 50237 656->659 666 152d0-152df call 52af7 657->666 667 152c9-152ce 657->667 659->640 674 152e1-152e6 666->674 675 152e8-152f7 call 53565 666->675 667->659 679 15560-15567 669->679 680 1555b call 53a35 669->680 670->669 673 15524-15527 670->673 673->669 677 15529-15544 call 2434c call 15602 673->677 674->659 688 15300-1531f GetVersionExW 675->688 689 152f9-152fe 675->689 677->669 685 15569 call 52efe 679->685 686 1556e-15575 679->686 680->679 685->686 691 15577 call 51479 686->691 692 1557c-15583 686->692 694 15321-1532b GetLastError 688->694 695 15359-1539e call 133c7 call 15602 688->695 689->659 691->692 697 15585 call 4fdbd 692->697 698 1558a-1558c 692->698 703 15338 694->703 704 1532d-15336 694->704 721 153b1-153c1 call 2752a 695->721 722 153a0-153ab call 55636 695->722 697->698 701 15594-1559b 698->701 702 1558e CoUninitialize 698->702 706 155d6-155df call 50113 701->706 707 1559d-1559f 701->707 702->701 708 1533a 703->708 709 1533f-15354 call 13821 703->709 704->703 719 155e1 call 145ee 706->719 720 155e6-155ff call 50802 call 3e06f 706->720 712 155a1-155a3 707->712 713 155a5-155ab 707->713 708->709 709->659 717 155ad-155c6 call 23d85 call 15602 712->717 713->717 717->706 738 155c8-155d5 call 15602 717->738 719->720 734 153c3 721->734 735 153cd-153d6 721->735 722->721 734->735 739 153dc-153df 735->739 740 1549e-154ab call 14d39 735->740 738->706 743 153e5-153e8 739->743 744 15476-15492 call 14ae5 739->744 748 154b0-154b4 740->748 745 153ea-153ed 743->745 746 1544e-1546a call 148ef 743->746 753 154c0-154d2 744->753 759 15494 744->759 750 15426-15442 call 14a88 745->750 751 153ef-153f2 745->751 746->753 761 1546c 746->761 748->753 754 154b6 748->754 750->753 765 15444 750->765 757 15403-15416 call 14c86 751->757 758 153f4-153f9 751->758 753->640 754->753 757->753 766 1541c 757->766 758->757 759->740 761->744 765->746 766->750
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00015217
                                                                                                                            • Part of subcall function 000504F8: InitializeCriticalSection.KERNEL32(0007B5FC,?,00015223,00000000,?,?,?,?,?,?), ref: 0005050F
                                                                                                                            • Part of subcall function 0001120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0001523F,00000000,?), ref: 00011248
                                                                                                                            • Part of subcall function 0001120A: GetLastError.KERNEL32(?,?,?,0001523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00011252
                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00015285
                                                                                                                            • Part of subcall function 00050E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00050E28
                                                                                                                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00015317
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00015321
                                                                                                                          • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0001558E
                                                                                                                          Strings
                                                                                                                          • 3.11.1.2318, xrefs: 00015384
                                                                                                                          • Failed to initialize COM., xrefs: 00015291
                                                                                                                          • Failed to initialize Cryputil., xrefs: 000152A6
                                                                                                                          • Failed to get OS info., xrefs: 0001534F
                                                                                                                          • Failed to parse command line., xrefs: 00015245
                                                                                                                          • Failed to run untrusted mode., xrefs: 000154B6
                                                                                                                          • Invalid run mode., xrefs: 000153F9
                                                                                                                          • Failed to run per-machine mode., xrefs: 0001546C
                                                                                                                          • Failed to initialize Regutil., xrefs: 000152C9
                                                                                                                          • Failed to run per-user mode., xrefs: 00015494
                                                                                                                          • Failed to run RunOnce mode., xrefs: 0001541C
                                                                                                                          • engine.cpp, xrefs: 00015345
                                                                                                                          • Failed to initialize engine state., xrefs: 0001526C
                                                                                                                          • Failed to initialize XML util., xrefs: 000152F9
                                                                                                                          • Failed to run embedded mode., xrefs: 00015444
                                                                                                                          • Failed to initialize Wiutil., xrefs: 000152E1
                                                                                                                          • Failed to initialize core., xrefs: 000153C3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
                                                                                                                          • String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
                                                                                                                          • API String ID: 3262001429-510904028
                                                                                                                          • Opcode ID: 38b487045dd2617778cdffe3e23137957934a68d0ecf6b4153a70b0aff193aba
                                                                                                                          • Instruction ID: 7fe05afe1183cb97a5a49f6c91ad6c9b0413b268697e5c86b0e363e8b823be57
                                                                                                                          • Opcode Fuzzy Hash: 38b487045dd2617778cdffe3e23137957934a68d0ecf6b4153a70b0aff193aba
                                                                                                                          • Instruction Fuzzy Hash: 03B1A672D40A29DBDB31AF64CC56BEE76B5AF84312F000195F908BB252DB719EC4CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0005304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00053609,00000000,?,00000000), ref: 00053069
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0003C025,?,00015405,?,00000000,?), ref: 00053075
                                                                                                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 000530B5
                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000530C1
                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 000530CC
                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000530D6
                                                                                                                          • CoCreateInstance.OLE32(0007B6B8,00000000,00000001,0005B818,?,?,?,?,?,?,?,?,?,?,?,0003C025), ref: 00053111
                                                                                                                          • ExitProcess.KERNEL32 ref: 000531C0
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                                                                                                                          • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
                                                                                                                          • API String ID: 2124981135-499589564
                                                                                                                          • Opcode ID: ef6d8442213482a7d5e8c3036dc51023415a0b0f8bcbcd9b467f785fc2d7a0ab
                                                                                                                          • Instruction ID: 0d59d491923d3ea9d5b7f91d92e1303aa9d9b174ed75f4605a2a068555fc6ba0
                                                                                                                          • Opcode Fuzzy Hash: ef6d8442213482a7d5e8c3036dc51023415a0b0f8bcbcd9b467f785fc2d7a0ab
                                                                                                                          • Instruction Fuzzy Hash: DD41E531E00715ABDB249BB8C855BAFB7E4AF44792F114068ED05EB280DB79DF48CB94
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00011070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 000133C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000110DD,?,00000000), ref: 000133E8
                                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 000110F6
                                                                                                                            • Part of subcall function 00011175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0001111A,cabinet.dll,00000009,?,?,00000000), ref: 00011186
                                                                                                                            • Part of subcall function 00011175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0001111A,cabinet.dll,00000009,?,?,00000000), ref: 00011191
                                                                                                                            • Part of subcall function 00011175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0001119F
                                                                                                                            • Part of subcall function 00011175: GetLastError.KERNEL32(?,?,?,?,?,0001111A,cabinet.dll,00000009,?,?,00000000), ref: 000111BA
                                                                                                                            • Part of subcall function 00011175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000111C2
                                                                                                                            • Part of subcall function 00011175: GetLastError.KERNEL32(?,?,?,?,?,0001111A,cabinet.dll,00000009,?,?,00000000), ref: 000111D7
                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0005B4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00011131
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
                                                                                                                          • String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
                                                                                                                          • API String ID: 3687706282-3151496603
                                                                                                                          • Opcode ID: 8fb5f5157061b8ae237708361a6f50f8b0336ad4a14d096e802256d1afb03ede
                                                                                                                          • Instruction ID: ae363a186c72a3da2ff6d019609c096c9d86f72f07879ce91a8b39db8fa3c4d6
                                                                                                                          • Opcode Fuzzy Hash: 8fb5f5157061b8ae237708361a6f50f8b0336ad4a14d096e802256d1afb03ede
                                                                                                                          • Instruction Fuzzy Hash: D0213D7190021CBBDB209FA4DC45BEFBBB8EB49715F504515FA10B7282D774A9488BA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002A0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          • Failed to copy working folder., xrefs: 0002A116
                                                                                                                          • Failed create working folder., xrefs: 0002A0EE
                                                                                                                          • Failed to calculate working folder to ensure it exists., xrefs: 0002A0D8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentDirectoryErrorLastProcessWindows
                                                                                                                          • String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
                                                                                                                          • API String ID: 3841436932-2072961686
                                                                                                                          • Opcode ID: eb306497a33ccec0d2421ea2633207ba513d46ac9a804da0c9f0ec0fb4eb20a2
                                                                                                                          • Instruction ID: b0f1b1a8bfac54e6d78ce30b29943bc2f6040790ed5f7a7733303f26a512337e
                                                                                                                          • Opcode Fuzzy Hash: eb306497a33ccec0d2421ea2633207ba513d46ac9a804da0c9f0ec0fb4eb20a2
                                                                                                                          • Instruction Fuzzy Hash: EB01D432A01938FB8F325A54ED16CDFBBB9DF45B20B104255FD007A211DF329E60A681
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$AllocateProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1357844191-0
                                                                                                                          • Opcode ID: 7d9fb4f6ba87bdb6a94b8f1a52fb22e511b474faf85da57fcfe3eebdb4f6d9dc
                                                                                                                          • Instruction ID: fd36eae2b60431a1df1282aaa2b7f81d8fa4a82c6789f37e456b38b8f57eb399
                                                                                                                          • Opcode Fuzzy Hash: 7d9fb4f6ba87bdb6a94b8f1a52fb22e511b474faf85da57fcfe3eebdb4f6d9dc
                                                                                                                          • Instruction Fuzzy Hash: 2DC012321A470CAB8B406FF8EC0EC9B3BACBB686037448400B905C2160C73CF0108B64
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001F9E3 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 0 1f9e3-1fa14 call 539af 3 1fa16 0->3 4 1fa18-1fa1a 0->4 3->4 5 1fa1c-1fa29 call 50237 4->5 6 1fa2e-1fa47 call 532f3 4->6 11 1ff16-1ff1b 5->11 12 1fa53-1fa68 call 532f3 6->12 13 1fa49-1fa4e 6->13 16 1ff23-1ff28 11->16 17 1ff1d-1ff1f 11->17 24 1fa74-1fa81 call 1ea42 12->24 25 1fa6a-1fa6f 12->25 14 1ff0d-1ff14 call 50237 13->14 30 1ff15 14->30 18 1ff30-1ff35 16->18 19 1ff2a-1ff2c 16->19 17->16 22 1ff37-1ff39 18->22 23 1ff3d-1ff41 18->23 19->18 22->23 27 1ff43-1ff46 call 55636 23->27 28 1ff4b-1ff52 23->28 33 1fa83-1fa88 24->33 34 1fa8d-1faa2 call 532f3 24->34 25->14 27->28 30->11 33->14 37 1faa4-1faa9 34->37 38 1faae-1fac0 call 54c97 34->38 37->14 41 1fac2-1faca 38->41 42 1facf-1fae4 call 532f3 38->42 43 1fd99-1fda2 call 50237 41->43 47 1faf0-1fb05 call 532f3 42->47 48 1fae6-1faeb 42->48 43->30 52 1fb11-1fb23 call 53505 47->52 53 1fb07-1fb0c 47->53 48->14 56 1fb25-1fb2a 52->56 57 1fb2f-1fb45 call 539af 52->57 53->14 56->14 60 1fdf4-1fe0e call 1ecbe 57->60 61 1fb4b-1fb4d 57->61 68 1fe10-1fe15 60->68 69 1fe1a-1fe32 call 539af 60->69 62 1fb59-1fb6e call 53505 61->62 63 1fb4f-1fb54 61->63 70 1fb70-1fb75 62->70 71 1fb7a-1fb8f call 532f3 62->71 63->14 68->14 76 1fe38-1fe3a 69->76 77 1fefc-1fefd call 1f0f8 69->77 70->14 79 1fb91-1fb93 71->79 80 1fb9f-1fbb4 call 532f3 71->80 81 1fe46-1fe64 call 532f3 76->81 82 1fe3c-1fe41 76->82 85 1ff02-1ff06 77->85 79->80 86 1fb95-1fb9a 79->86 90 1fbc4-1fbd9 call 532f3 80->90 91 1fbb6-1fbb8 80->91 92 1fe70-1fe88 call 532f3 81->92 93 1fe66-1fe6b 81->93 82->14 85->30 89 1ff08 85->89 86->14 89->14 101 1fbe9-1fbfe call 532f3 90->101 102 1fbdb-1fbdd 90->102 91->90 94 1fbba-1fbbf 91->94 99 1fe95-1fead call 532f3 92->99 100 1fe8a-1fe8c 92->100 93->14 94->14 109 1feba-1fed2 call 532f3 99->109 110 1feaf-1feb1 99->110 100->99 103 1fe8e-1fe93 100->103 111 1fc00-1fc02 101->111 112 1fc0e-1fc23 call 532f3 101->112 102->101 104 1fbdf-1fbe4 102->104 103->14 104->14 119 1fed4-1fed9 109->119 120 1fedb-1fef3 call 532f3 109->120 110->109 114 1feb3-1feb8 110->114 111->112 115 1fc04-1fc09 111->115 121 1fc33-1fc48 call 532f3 112->121 122 1fc25-1fc27 112->122 114->14 115->14 119->14 120->77 128 1fef5-1fefa 120->128 129 1fc58-1fc6d call 532f3 121->129 130 1fc4a-1fc4c 121->130 122->121 124 1fc29-1fc2e 122->124 124->14 128->14 134 1fc7d-1fc92 call 532f3 129->134 135 1fc6f-1fc71 129->135 130->129 131 1fc4e-1fc53 130->131 131->14 139 1fca2-1fcba call 532f3 134->139 140 1fc94-1fc96 134->140 135->134 136 1fc73-1fc78 135->136 136->14 144 1fcca-1fce2 call 532f3 139->144 145 1fcbc-1fcbe 139->145 140->139 141 1fc98-1fc9d 140->141 141->14 149 1fcf2-1fd07 call 532f3 144->149 150 1fce4-1fce6 144->150 145->144 146 1fcc0-1fcc5 145->146 146->14 154 1fda7-1fda9 149->154 155 1fd0d-1fd2a CompareStringW 149->155 150->149 151 1fce8-1fced 150->151 151->14 158 1fdb4-1fdb6 154->158 159 1fdab-1fdb2 154->159 156 1fd34-1fd49 CompareStringW 155->156 157 1fd2c-1fd32 155->157 163 1fd57-1fd6c CompareStringW 156->163 164 1fd4b-1fd55 156->164 162 1fd75-1fd7a 157->162 160 1fdc2-1fdda call 53505 158->160 161 1fdb8-1fdbd 158->161 159->158 160->60 170 1fddc-1fdde 160->170 161->14 162->158 166 1fd7c-1fd94 call 13821 163->166 167 1fd6e 163->167 164->162 166->43 167->162 172 1fde0-1fde5 170->172 173 1fdea 170->173 172->14 173->60
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: StringVariant$AllocClearFreeInit
                                                                                                                          • String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
                                                                                                                          • API String ID: 760788290-2956246334
                                                                                                                          • Opcode ID: 2c57e012c3e8750adf766d13493d3e8a7ea269b151a4eefbe5fa868f8a2876af
                                                                                                                          • Instruction ID: 04f7719f50a865c5e51e8a3b1fafb974ec70f955196bdead67af6a31efdc9292
                                                                                                                          • Opcode Fuzzy Hash: 2c57e012c3e8750adf766d13493d3e8a7ea269b151a4eefbe5fa868f8a2876af
                                                                                                                          • Instruction Fuzzy Hash: AAE10D32E44677BBCB2196A0CC52EFEB6A66F01710F150235FE11FB192DBA19E9197C0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001B48B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578fileCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 174 1b48b-1b500 call 3f8e0 * 2 179 1b502-1b50c GetLastError 174->179 180 1b538-1b53e 174->180 183 1b519 179->183 184 1b50e-1b517 179->184 181 1b540 180->181 182 1b542-1b554 SetFilePointerEx 180->182 181->182 185 1b556-1b560 GetLastError 182->185 186 1b588-1b5a2 ReadFile 182->186 187 1b520-1b52d call 13821 183->187 188 1b51b 183->188 184->183 189 1b562-1b56b 185->189 190 1b56d 185->190 191 1b5a4-1b5ae GetLastError 186->191 192 1b5d9-1b5e0 186->192 206 1b532-1b533 187->206 188->187 189->190 196 1b574-1b586 call 13821 190->196 197 1b56f 190->197 198 1b5b0-1b5b9 191->198 199 1b5bb 191->199 194 1bbd7-1bbeb call 13821 192->194 195 1b5e6-1b5ef 192->195 214 1bbf0 194->214 195->194 202 1b5f5-1b605 SetFilePointerEx 195->202 196->206 197->196 198->199 204 1b5c2-1b5d4 call 13821 199->204 205 1b5bd 199->205 208 1b607-1b611 GetLastError 202->208 209 1b63c-1b654 ReadFile 202->209 204->206 205->204 212 1bbf1-1bbf7 call 50237 206->212 216 1b613-1b61c 208->216 217 1b61e 208->217 218 1b656-1b660 GetLastError 209->218 219 1b68b-1b692 209->219 229 1bbf8-1bc0a call 3e06f 212->229 214->212 216->217 223 1b620 217->223 224 1b625-1b632 call 13821 217->224 225 1b662-1b66b 218->225 226 1b66d 218->226 221 1b698-1b6a2 219->221 222 1bbbc-1bbd5 call 13821 219->222 221->222 230 1b6a8-1b6cb SetFilePointerEx 221->230 222->214 223->224 224->209 225->226 227 1b674-1b681 call 13821 226->227 228 1b66f 226->228 227->219 228->227 235 1b702-1b71a ReadFile 230->235 236 1b6cd-1b6d7 GetLastError 230->236 239 1b751-1b769 ReadFile 235->239 240 1b71c-1b726 GetLastError 235->240 243 1b6e4 236->243 244 1b6d9-1b6e2 236->244 247 1b7a0-1b7bb SetFilePointerEx 239->247 248 1b76b-1b775 GetLastError 239->248 245 1b733 240->245 246 1b728-1b731 240->246 249 1b6e6 243->249 250 1b6eb-1b6f8 call 13821 243->250 244->243 253 1b735 245->253 254 1b73a-1b747 call 13821 245->254 246->245 251 1b7f5-1b814 ReadFile 247->251 252 1b7bd-1b7c7 GetLastError 247->252 255 1b782 248->255 256 1b777-1b780 248->256 249->250 250->235 261 1b81a-1b81c 251->261 262 1bb7d-1bb87 GetLastError 251->262 258 1b7d4 252->258 259 1b7c9-1b7d2 252->259 253->254 254->239 263 1b784 255->263 264 1b789-1b796 call 13821 255->264 256->255 268 1b7d6 258->268 269 1b7db-1b7eb call 13821 258->269 259->258 271 1b81d-1b824 261->271 266 1bb94 262->266 267 1bb89-1bb92 262->267 263->264 264->247 274 1bb96 266->274 275 1bb9b-1bbb1 call 13821 266->275 267->266 268->269 269->251 277 1bb58-1bb75 call 13821 271->277 278 1b82a-1b836 271->278 274->275 294 1bbb2-1bbba call 50237 275->294 289 1bb7a-1bb7b 277->289 282 1b841-1b84a 278->282 283 1b838-1b83f 278->283 286 1b850-1b876 ReadFile 282->286 287 1bb1b-1bb32 call 13821 282->287 283->282 285 1b884-1b88b 283->285 291 1b8b4-1b8cb call 1394f 285->291 292 1b88d-1b8af call 13821 285->292 286->262 290 1b87c-1b882 286->290 300 1bb37-1bb3d call 50237 287->300 289->294 290->271 304 1b8cd-1b8ea call 13821 291->304 305 1b8ef-1b904 SetFilePointerEx 291->305 292->289 294->229 310 1bb43-1bb44 300->310 304->212 308 1b944-1b969 ReadFile 305->308 309 1b906-1b910 GetLastError 305->309 311 1b9a0-1b9ac 308->311 312 1b96b-1b975 GetLastError 308->312 314 1b912-1b91b 309->314 315 1b91d 309->315 320 1bb45-1bb47 310->320 316 1b9cf-1b9d3 311->316 317 1b9ae-1b9ca call 13821 311->317 321 1b982 312->321 322 1b977-1b980 312->322 314->315 318 1b924-1b934 call 13821 315->318 319 1b91f 315->319 325 1b9d5-1ba09 call 13821 call 50237 316->325 326 1ba0e-1ba21 call 54a05 316->326 317->300 336 1b939-1b93f call 50237 318->336 319->318 320->229 327 1bb4d-1bb53 call 13a16 320->327 328 1b984 321->328 329 1b989-1b99e call 13821 321->329 322->321 325->320 343 1ba23-1ba28 326->343 344 1ba2d-1ba37 326->344 327->229 328->329 329->336 336->310 343->336 347 1ba41-1ba49 344->347 348 1ba39-1ba3f 344->348 350 1ba55-1ba58 347->350 351 1ba4b-1ba53 347->351 349 1ba5a-1baba call 1394f 348->349 354 1babc-1bad8 call 13821 349->354 355 1bade-1baff call 3f360 call 1b208 349->355 350->349 351->349 354->355 355->320 362 1bb01-1bb11 call 13821 355->362 362->287
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0001B502
                                                                                                                          • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B550
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0001B556
                                                                                                                          • ReadFile.KERNELBASE(00000000,00014461,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B59E
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0001B5A4
                                                                                                                          • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B601
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B607
                                                                                                                          • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B650
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B656
                                                                                                                          • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B6C7
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B6CD
                                                                                                                          • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B716
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B71C
                                                                                                                          • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B765
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B76B
                                                                                                                          • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B7B7
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B7BD
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B810
                                                                                                                          • ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B872
                                                                                                                          • SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B8FC
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B906
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
                                                                                                                          • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
                                                                                                                          • API String ID: 3411815225-695169583
                                                                                                                          • Opcode ID: f246e520374f97500c206495e3871b53d584b843dff6704b444288873cb4aeb5
                                                                                                                          • Instruction ID: 053b1914fed77aa3fa775b4843a82aa3293164db08f600618c6e25440daa09a2
                                                                                                                          • Opcode Fuzzy Hash: f246e520374f97500c206495e3871b53d584b843dff6704b444288873cb4aeb5
                                                                                                                          • Instruction Fuzzy Hash: 6F12E676A40635ABDB349B54CC4AFEB76E4AF04B11F1101A5FE44BB281DB759E80CBE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001CDBD Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 366COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 365 1cdbd-1cde9 call 53929 368 1cdeb 365->368 369 1cdfd-1ce0e 365->369 370 1cdf0-1cdf8 call 50237 368->370 374 1ce10-1ce15 369->374 375 1ce17-1ce1c 369->375 376 1d152-1d157 370->376 374->370 375->376 377 1ce22-1ce35 call 1394f 375->377 379 1d159-1d15b 376->379 380 1d15f-1d164 376->380 384 1ce37-1ce56 call 13821 call 50237 377->384 385 1ce5b-1ce68 377->385 379->380 381 1d166-1d168 380->381 382 1d16c-1d170 380->382 381->382 386 1d172-1d175 call 55636 382->386 387 1d17a-1d180 382->387 397 1d151 384->397 390 1d14e 385->390 391 1ce6e-1ce70 385->391 386->387 394 1d150 390->394 393 1ce73-1ce89 call 53886 391->393 400 1d228 393->400 401 1ce8f-1cea1 call 532f3 393->401 394->397 397->376 402 1d22d-1d235 call 50237 400->402 407 1d221-1d226 401->407 408 1cea7-1cebc call 532f3 401->408 402->394 407->402 411 1cec2-1ced7 call 532f3 408->411 412 1d21a-1d21f 408->412 415 1d213-1d218 411->415 416 1cedd-1cef8 CompareStringW 411->416 412->402 415->402 417 1cf03-1cf18 CompareStringW 416->417 418 1cefa-1cf01 416->418 420 1cf1a-1cf1d 417->420 421 1cf1f-1cf34 CompareStringW 417->421 419 1cf41-1cf45 418->419 424 1cf47-1cf60 call 532f3 419->424 425 1cf89-1cfa2 call 53505 419->425 420->419 422 1d1f8-1d200 421->422 423 1cf3a 421->423 427 1d205-1d20e call 50237 422->427 423->419 432 1cf62-1cf66 424->432 433 1cf68-1cf6a 424->433 434 1cfa4-1cfa6 425->434 435 1cfac-1cfc5 call 532f3 425->435 427->394 432->425 432->433 437 1cf70-1cf83 call 1c20f 433->437 438 1d18d-1d192 433->438 434->435 439 1d197-1d19c 434->439 444 1cfc7-1cfcb 435->444 445 1cfcd-1cfcf 435->445 437->425 446 1d183-1d18b 437->446 438->402 439->402 444->445 447 1cfd5-1cfe1 call 532f3 444->447 445->447 448 1d1f1-1d1f6 445->448 446->427 450 1cfe6-1cfee 447->450 448->402 451 1cff0-1cff4 450->451 452 1cff6-1cff8 450->452 451->452 453 1cffe-1d017 call 532f3 451->453 452->453 454 1d1ea-1d1ef 452->454 457 1d039-1d052 call 532f3 453->457 458 1d019-1d01b 453->458 454->402 465 1d054-1d056 457->465 466 1d076-1d08f call 532f3 457->466 459 1d021-1d033 call 12a14 458->459 460 1d1ab-1d1b0 458->460 459->457 468 1d1a1-1d1a6 459->468 460->402 469 1d1b9-1d1be 465->469 470 1d05c-1d070 call 11ffb 465->470 474 1d091-1d093 466->474 475 1d0b3-1d0c8 call 532f3 466->475 468->402 469->402 470->466 476 1d1b2-1d1b7 470->476 477 1d1c7-1d1cc 474->477 478 1d099-1d0ad call 11ffb 474->478 483 1d1e3-1d1e8 475->483 484 1d0ce-1d0e2 call 11ffb 475->484 476->402 477->402 478->475 485 1d1c0-1d1c5 478->485 483->402 488 1d0e8-1d101 call 532f3 484->488 489 1d1dc-1d1e1 484->489 485->402 492 1d103-1d105 488->492 493 1d124-1d129 488->493 489->402 494 1d1d5-1d1da 492->494 495 1d10b-1d11e call 1bc34 492->495 496 1d135-1d148 493->496 497 1d12b-1d131 493->497 494->402 495->493 501 1d1ce-1d1d3 495->501 496->390 496->393 497->496 501->402
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,0001545D,00000000,0005CA9C,00015445,00000000), ref: 0001CEF3
                                                                                                                          Strings
                                                                                                                          • Failed to get @LayoutOnly., xrefs: 0001D197
                                                                                                                          • Failed to select payload nodes., xrefs: 0001CDEB
                                                                                                                          • Failed to get @Container., xrefs: 0001D18D
                                                                                                                          • CertificateRootPublicKeyIdentifier, xrefs: 0001D03D
                                                                                                                          • Failed to get @Id., xrefs: 0001D221
                                                                                                                          • Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 0001D1B9
                                                                                                                          • Failed to get @FilePath., xrefs: 0001D21A
                                                                                                                          • Failed to get @Hash., xrefs: 0001D1E3
                                                                                                                          • Invalid value for @Packaging: %ls, xrefs: 0001D200
                                                                                                                          • Failed to get @Catalog., xrefs: 0001D1D5
                                                                                                                          • Catalog, xrefs: 0001D0EC
                                                                                                                          • external, xrefs: 0001CF21
                                                                                                                          • Failed to get next node., xrefs: 0001D228
                                                                                                                          • Failed to find catalog., xrefs: 0001D1CE
                                                                                                                          • FileSize, xrefs: 0001D002
                                                                                                                          • Failed to to find container: %ls, xrefs: 0001D186
                                                                                                                          • CertificateRootThumbprint, xrefs: 0001D07A
                                                                                                                          • Failed to get payload node count., xrefs: 0001CE10
                                                                                                                          • Failed to get @Packaging., xrefs: 0001D213
                                                                                                                          • LayoutOnly, xrefs: 0001CF8D
                                                                                                                          • Failed to hex decode the Payload/@Hash., xrefs: 0001D1DC
                                                                                                                          • Failed to hex decode @CertificateRootThumbprint., xrefs: 0001D1C0
                                                                                                                          • Failed to allocate memory for payload structs., xrefs: 0001CE49
                                                                                                                          • Packaging, xrefs: 0001CEC6
                                                                                                                          • DownloadUrl, xrefs: 0001CFD9
                                                                                                                          • Failed to get @FileSize., xrefs: 0001D1AB
                                                                                                                          • FilePath, xrefs: 0001CEAB
                                                                                                                          • payload.cpp, xrefs: 0001CE3F
                                                                                                                          • Failed to get @CertificateRootThumbprint., xrefs: 0001D1C7
                                                                                                                          • Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 0001D1B2
                                                                                                                          • Failed to parse @FileSize., xrefs: 0001D1A1
                                                                                                                          • Hash, xrefs: 0001D0B7
                                                                                                                          • Failed to get @SourcePath., xrefs: 0001D1F1
                                                                                                                          • download, xrefs: 0001CEE5
                                                                                                                          • Container, xrefs: 0001CF4B
                                                                                                                          • embedded, xrefs: 0001CF05
                                                                                                                          • SourcePath, xrefs: 0001CFB0
                                                                                                                          • Payload, xrefs: 0001CDD8
                                                                                                                          • Failed to get @DownloadUrl., xrefs: 0001D1EA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$AllocateCompareProcessString
                                                                                                                          • String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$download$embedded$external$payload.cpp
                                                                                                                          • API String ID: 1171520630-3127305756
                                                                                                                          • Opcode ID: 87a8b81267a735548c9fc30ce4c5a5fab1d05eee15232bfe65e005c5b7ad755f
                                                                                                                          • Instruction ID: 42dc85ebe54231236daddd05be44baa5060d89d6c698482cec656a6ff363b7be
                                                                                                                          • Opcode Fuzzy Hash: 87a8b81267a735548c9fc30ce4c5a5fab1d05eee15232bfe65e005c5b7ad755f
                                                                                                                          • Instruction Fuzzy Hash: D2C1E672D4062AFBDB219A94CD02EEFB6B4AF04721F100276FE11BB191C775EE859790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00030D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306synchronizationCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 502 30d16-30d2d SetEvent 503 30d6f-30d7d WaitForSingleObject 502->503 504 30d2f-30d39 GetLastError 502->504 505 30db4-30dbf ResetEvent 503->505 506 30d7f-30d89 GetLastError 503->506 507 30d46 504->507 508 30d3b-30d44 504->508 511 30dc1-30dcb GetLastError 505->511 512 30df9-30dff 505->512 509 30d96 506->509 510 30d8b-30d94 506->510 513 30d48 507->513 514 30d4d-30d5d call 13821 507->514 508->507 517 30d98 509->517 518 30d9d-30db2 call 13821 509->518 510->509 519 30dd8 511->519 520 30dcd-30dd6 511->520 515 30e32-30e4b call 121ac 512->515 516 30e01-30e04 512->516 513->514 533 30d62-30d6a call 50237 514->533 536 30e63-30e6e SetEvent 515->536 537 30e4d-30e5e call 50237 515->537 522 30e06-30e23 call 13821 516->522 523 30e28-30e2d 516->523 517->518 518->533 526 30dda 519->526 527 30ddf-30df4 call 13821 519->527 520->519 542 310de-310e4 call 50237 522->542 530 310e8-310ed 523->530 526->527 527->533 538 310f2-310f8 530->538 539 310ef 530->539 533->530 544 30e70-30e7a GetLastError 536->544 545 30ea8-30eb6 WaitForSingleObject 536->545 558 310e5-310e7 537->558 539->538 542->558 551 30e87 544->551 552 30e7c-30e85 544->552 547 30ef0-30efb ResetEvent 545->547 548 30eb8-30ec2 GetLastError 545->548 559 30f35-30f3c 547->559 560 30efd-30f07 GetLastError 547->560 555 30ec4-30ecd 548->555 556 30ecf 548->556 553 30e89 551->553 554 30e8e-30ea3 call 13821 551->554 552->551 553->554 577 310dd 554->577 555->556 564 30ed1 556->564 565 30ed6-30eeb call 13821 556->565 558->530 562 30fab-30fce CreateFileW 559->562 563 30f3e-30f41 559->563 566 30f14 560->566 567 30f09-30f12 560->567 571 30fd0-30fda GetLastError 562->571 572 3100b-3101f SetFilePointerEx 562->572 573 30f43-30f46 563->573 574 30f6e-30f72 call 1394f 563->574 564->565 565->577 568 30f16 566->568 569 30f1b-30f30 call 13821 566->569 567->566 568->569 569->577 578 30fe7 571->578 579 30fdc-30fe5 571->579 583 31021-3102b GetLastError 572->583 584 31059-31064 SetEndOfFile 572->584 580 30f67-30f69 573->580 581 30f48-30f4b 573->581 595 30f77-30f7c 574->595 577->542 589 30fe9 578->589 590 30fee-31001 call 13821 578->590 579->578 580->530 591 30f5d-30f62 581->591 592 30f4d-30f53 581->592 593 31038 583->593 594 3102d-31036 583->594 587 31066-31070 GetLastError 584->587 588 3109b-310a8 SetFilePointerEx 584->588 598 31072-3107b 587->598 599 3107d 587->599 588->558 601 310aa-310b4 GetLastError 588->601 589->590 590->572 591->558 592->591 596 3103a 593->596 597 3103f-31054 call 13821 593->597 594->593 602 30f7e-30f98 call 13821 595->602 603 30f9d-30fa6 595->603 596->597 597->577 598->599 606 31084-31099 call 13821 599->606 607 3107f 599->607 609 310c1 601->609 610 310b6-310bf 601->610 602->577 603->558 606->577 607->606 611 310c3 609->611 612 310c8-310d8 call 13821 609->612 610->609 611->612 612->577
                                                                                                                          APIs
                                                                                                                          • SetEvent.KERNEL32(?,?,?,?,?,000308BC,?,?), ref: 00030D25
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,000308BC,?,?), ref: 00030D2F
                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,000308BC,?,?), ref: 00030D74
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,000308BC,?,?), ref: 00030D7F
                                                                                                                          • ResetEvent.KERNEL32(?,?,?,?,?,000308BC,?,?), ref: 00030DB7
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,000308BC,?,?), ref: 00030DC1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$Event$ObjectResetSingleWait
                                                                                                                          • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
                                                                                                                          • API String ID: 1865021742-2104912459
                                                                                                                          • Opcode ID: d153a41e2a576205f69b607b4b60fc42c9ccb003c9434781b88c137df675cc86
                                                                                                                          • Instruction ID: 5d8259d43bef6856cffa4611a04c75f3bef0974fe120dd4f29f9eadaa88eba16
                                                                                                                          • Opcode Fuzzy Hash: d153a41e2a576205f69b607b4b60fc42c9ccb003c9434781b88c137df675cc86
                                                                                                                          • Instruction Fuzzy Hash: 34913B37B81732B7D33626A54D09BAB3998BF05B21F124620FF10BE5D1D755EC4086E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00014D39 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 220COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 767 14d39-14d81 call 3f8e0 call 133c7 772 14d83-14d90 call 50237 767->772 773 14d95-14d9f call 298f7 767->773 778 14f31-14f3b 772->778 779 14da1-14da6 773->779 780 14da8-14db7 call 298fd 773->780 781 14f46-14f4a 778->781 782 14f3d-14f42 CloseHandle 778->782 783 14ddd-14df8 call 11f13 779->783 788 14dbc-14dc0 780->788 786 14f55-14f59 781->786 787 14f4c-14f51 CloseHandle 781->787 782->781 797 14e01-14e15 call 26a57 783->797 798 14dfa-14dff 783->798 790 14f64-14f66 786->790 791 14f5b-14f60 CloseHandle 786->791 787->786 792 14dc2 788->792 793 14dd7-14dda 788->793 795 14f68-14f69 CloseHandle 790->795 796 14f6b-14f7f call 12782 * 2 790->796 791->790 794 14dc7-14dd2 call 50237 792->794 793->783 794->778 795->796 812 14f81-14f84 call 55636 796->812 813 14f89-14f8d 796->813 806 14e17 797->806 807 14e2f-14e43 call 26b13 797->807 798->794 810 14e1c 806->810 815 14e45-14e4a 807->815 816 14e4c-14e67 call 11f55 807->816 814 14e21-14e2a call 50237 810->814 812->813 818 14f97-14f9f 813->818 819 14f8f-14f92 call 55636 813->819 824 14f2e 814->824 815->810 826 14e73-14e8c call 11f55 816->826 827 14e69-14e6e 816->827 819->818 824->778 830 14e98-14ec4 CreateProcessW 826->830 831 14e8e-14e93 826->831 827->794 832 14f01-14f20 call 50a28 830->832 833 14ec6-14ed0 GetLastError 830->833 831->794 832->778 841 14f22-14f29 call 50237 832->841 835 14ed2-14edb 833->835 836 14edd 833->836 835->836 837 14ee4-14efc call 13821 836->837 838 14edf 836->838 837->814 838->837 841->824
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 000133C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000110DD,?,00000000), ref: 000133E8
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00014F40
                                                                                                                          • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00014F4F
                                                                                                                          • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00014F5E
                                                                                                                          • CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00014F69
                                                                                                                          Strings
                                                                                                                          • Failed to allocate parameters for unelevated process., xrefs: 00014DFA
                                                                                                                          • Failed to append original command line., xrefs: 00014E69
                                                                                                                          • D, xrefs: 00014EA9
                                                                                                                          • burn.filehandle.self, xrefs: 00014E45
                                                                                                                          • burn.filehandle.attached, xrefs: 00014E17
                                                                                                                          • Failed to wait for clean room process: %ls, xrefs: 00014F23
                                                                                                                          • Failed to launch clean room process: %ls, xrefs: 00014EF7
                                                                                                                          • engine.cpp, xrefs: 00014EEA
                                                                                                                          • Failed to cache to clean room., xrefs: 00014DC2
                                                                                                                          • %ls %ls, xrefs: 00014E55
                                                                                                                          • Failed to get path for current process., xrefs: 00014D83
                                                                                                                          • burn.clean.room, xrefs: 00014DDE
                                                                                                                          • "%ls" %ls, xrefs: 00014E7A
                                                                                                                          • Failed to allocate full command-line., xrefs: 00014E8E
                                                                                                                          • Failed to append %ls, xrefs: 00014E1C
                                                                                                                          • -%ls="%ls", xrefs: 00014DE6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseHandle$FileModuleName
                                                                                                                          • String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$engine.cpp
                                                                                                                          • API String ID: 3884789274-2391192076
                                                                                                                          • Opcode ID: f148bdde5293366794567b0c6f6c4e834249beb44ddf94e42310bfb6668bdb32
                                                                                                                          • Instruction ID: 63b6da6f2e4bb43f3109f68587b26978b88a3234db117beb7f537816c19ab843
                                                                                                                          • Opcode Fuzzy Hash: f148bdde5293366794567b0c6f6c4e834249beb44ddf94e42310bfb6668bdb32
                                                                                                                          • Instruction Fuzzy Hash: DC718632D00229ABDF219B94CC45EEFBBB8AF04721F110165FE14B72A1D7759A85CBD1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 844 2752a-2756f call 3f8e0 call 1762c 849 27571-27576 844->849 850 2757b-2758c call 1c407 844->850 851 27814-2781b call 50237 849->851 855 27598-275a9 call 1c26e 850->855 856 2758e-27593 850->856 859 2781c-27821 851->859 866 275b5-275ca call 1c4c8 855->866 867 275ab-275b0 855->867 856->851 861 27823-27824 call 55636 859->861 862 27829-2782d 859->862 861->862 864 27837-2783c 862->864 865 2782f-27832 call 55636 862->865 869 27844-27851 call 1c1bb 864->869 870 2783e-2783f call 55636 864->870 865->864 876 275d6-275e6 call 3c001 866->876 877 275cc-275d1 866->877 867->851 878 27853-27856 call 55636 869->878 879 2785b-2785f 869->879 870->869 887 275f2-27665 call 25c33 876->887 888 275e8-275ed 876->888 877->851 878->879 883 27861-27864 call 55636 879->883 884 27869-2786d 879->884 883->884 885 27877-2787f 884->885 886 2786f-27872 call 13a16 884->886 886->885 893 27671-27676 887->893 894 27667-2766c 887->894 888->851 895 27678 893->895 896 2767d-27698 call 15602 GetCurrentProcess call 50879 893->896 894->851 895->896 900 2769d-276b4 call 1827b 896->900 903 276b6 900->903 904 276ce-276e5 call 1827b 900->904 906 276bb-276c9 call 50237 903->906 909 276e7-276ec 904->909 910 276ee-276f3 904->910 906->859 909->906 912 276f5-27707 call 1821f 910->912 913 2774f-27754 910->913 923 27713-27723 call 13436 912->923 924 27709-2770e 912->924 914 27756-27768 call 1821f 913->914 915 27774-2777d 913->915 914->915 926 2776a-2776f 914->926 918 27789-2779d call 2a50c 915->918 919 2777f-27782 915->919 931 277a6 918->931 932 2779f-277a4 918->932 919->918 922 27784-27787 919->922 922->918 927 277ac-277af 922->927 936 27725-2772a 923->936 937 2772f-27743 call 1821f 923->937 924->851 926->851 933 277b1-277b4 927->933 934 277b6-277cc call 1d5a0 927->934 931->927 932->851 933->859 933->934 940 277d5-277ed call 1cbc5 934->940 941 277ce-277d3 934->941 936->851 937->913 944 27745-2774a 937->944 946 277f6-2780d call 1c8e6 940->946 947 277ef-277f4 940->947 941->851 944->851 946->859 950 2780f 946->950 947->851 950->851
                                                                                                                          Strings
                                                                                                                          • WixBundleSourceProcessPath, xrefs: 000276F8
                                                                                                                          • WixBundleSourceProcessFolder, xrefs: 00027734
                                                                                                                          • Failed to load catalog files., xrefs: 0002780F
                                                                                                                          • Failed to set original source variable., xrefs: 0002776A
                                                                                                                          • Failed to parse command line., xrefs: 00027667
                                                                                                                          • WixBundleUILevel, xrefs: 000276D6, 000276E7
                                                                                                                          • Failed to load manifest., xrefs: 000275E8
                                                                                                                          • WixBundleElevated, xrefs: 000276A5, 000276B6
                                                                                                                          • Failed to extract bootstrapper application payloads., xrefs: 000277EF
                                                                                                                          • Failed to get unique temporary folder for bootstrapper application., xrefs: 000277CE
                                                                                                                          • Failed to get source process folder from path., xrefs: 00027725
                                                                                                                          • Failed to initialize internal cache functionality., xrefs: 0002779F
                                                                                                                          • Failed to set source process path variable., xrefs: 00027709
                                                                                                                          • Failed to get manifest stream from container., xrefs: 000275CC
                                                                                                                          • Failed to open attached UX container., xrefs: 0002758E
                                                                                                                          • Failed to overwrite the %ls built-in variable., xrefs: 000276BB
                                                                                                                          • Failed to open manifest stream., xrefs: 000275AB
                                                                                                                          • Failed to initialize variables., xrefs: 00027571
                                                                                                                          • Failed to set source process folder variable., xrefs: 00027745
                                                                                                                          • WixBundleOriginalSource, xrefs: 00027759
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalInitializeSection
                                                                                                                          • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
                                                                                                                          • API String ID: 32694325-1564579409
                                                                                                                          • Opcode ID: fbd4cd6b271e015be023a6a581a345f8d3fe9e022b67a37ee52c363afe22c2e5
                                                                                                                          • Instruction ID: aa5e5106cb8dd31a298c3fcfdd62797ed56f55a391456efcce5c591b4a10a66d
                                                                                                                          • Opcode Fuzzy Hash: fbd4cd6b271e015be023a6a581a345f8d3fe9e022b67a37ee52c363afe22c2e5
                                                                                                                          • Instruction Fuzzy Hash: 75A1B772E44A3ABBDB269AA0DC45FEFB7ACBB04700F404566F619E7141DB31E944C7A0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000286D0 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 209fileCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1056 286d0-2871e CreateFileW 1057 28720-2872a GetLastError 1056->1057 1058 28764-28774 call 5490d 1056->1058 1059 28737 1057->1059 1060 2872c-28735 1057->1060 1066 28776-28787 call 50237 1058->1066 1067 2878c-28797 call 53edd 1058->1067 1062 28739 1059->1062 1063 2873e-2875f call 13821 call 50237 1059->1063 1060->1059 1062->1063 1078 28908-2891a call 3e06f 1063->1078 1074 28901-28902 FindCloseChangeNotification 1066->1074 1072 2879c-287a0 1067->1072 1075 287a2-287b6 call 50237 1072->1075 1076 287bb-287c0 1072->1076 1074->1078 1075->1074 1076->1074 1080 287c6-287d5 SetFilePointerEx 1076->1080 1083 287d7-287e1 GetLastError 1080->1083 1084 2880f-2881f call 54e3a 1080->1084 1087 287e3-287ec 1083->1087 1088 287ee 1083->1088 1092 28821-28826 1084->1092 1093 2882b-2883c SetFilePointerEx 1084->1093 1087->1088 1090 287f0 1088->1090 1091 287f5-2880a call 13821 1088->1091 1090->1091 1095 288f9-28900 call 50237 1091->1095 1092->1095 1096 28876-28886 call 54e3a 1093->1096 1097 2883e-28848 GetLastError 1093->1097 1095->1074 1096->1092 1108 28888-28898 call 54e3a 1096->1108 1099 28855 1097->1099 1100 2884a-28853 1097->1100 1104 28857 1099->1104 1105 2885c-28871 call 13821 1099->1105 1100->1099 1104->1105 1105->1095 1108->1092 1112 2889a-288ab SetFilePointerEx 1108->1112 1113 288e2-288f2 call 54e3a 1112->1113 1114 288ad-288b7 GetLastError 1112->1114 1113->1074 1122 288f4 1113->1122 1115 288c4 1114->1115 1116 288b9-288c2 1114->1116 1118 288c6 1115->1118 1119 288cb-288e0 call 13821 1115->1119 1116->1115 1118->1119 1119->1095 1122->1095
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00014DBC,?,?,00000000,00014DBC,00000000), ref: 00028713
                                                                                                                          • GetLastError.KERNEL32 ref: 00028720
                                                                                                                            • Part of subcall function 00053EDD: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00053F73
                                                                                                                          • SetFilePointerEx.KERNEL32(00000000,0005B4B8,00000000,00000000,00000000,?,00000000,0005B500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000287CD
                                                                                                                          • GetLastError.KERNEL32 ref: 000287D7
                                                                                                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,0005B500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00028902
                                                                                                                          Strings
                                                                                                                          • cabinet.dll, xrefs: 0002887B
                                                                                                                          • msi.dll, xrefs: 00028814
                                                                                                                          • Failed to seek to checksum in exe header., xrefs: 00028805
                                                                                                                          • Failed to zero out original data offset., xrefs: 000288F4
                                                                                                                          • Failed to seek to original data in exe burn section header., xrefs: 000288DB
                                                                                                                          • Failed to create engine file at path: %ls, xrefs: 00028751
                                                                                                                          • Failed to update signature offset., xrefs: 00028821
                                                                                                                          • cache.cpp, xrefs: 00028744, 000287FB, 00028862, 000288D1
                                                                                                                          • Failed to seek to beginning of engine file: %ls, xrefs: 00028779
                                                                                                                          • Failed to copy engine from: %ls to: %ls, xrefs: 000287A8
                                                                                                                          • Failed to seek to signature table in exe header., xrefs: 0002886C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$ErrorLast$ChangeCloseCreateFindNotificationPointerRead
                                                                                                                          • String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
                                                                                                                          • API String ID: 3608016165-1976062716
                                                                                                                          • Opcode ID: 5a344524ba097c6ab1d411fc9b5d9f4574caf6034592092f2319753aaa0d0028
                                                                                                                          • Instruction ID: 2c151b4c4c340983554dc8553d77d06863b687621b187b0d8a204324fd42930b
                                                                                                                          • Opcode Fuzzy Hash: 5a344524ba097c6ab1d411fc9b5d9f4574caf6034592092f2319753aaa0d0028
                                                                                                                          • Instruction Fuzzy Hash: 7251A37AA42235BBE7225B649C46FBF76A8EF04B11F514525FE00FB181EE25DC0097E2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1124 1762c-17edf InitializeCriticalSection 1125 17ee2-17f06 call 15623 1124->1125 1128 17f13-17f24 call 50237 1125->1128 1129 17f08-17f0f 1125->1129 1132 17f27-17f39 call 3e06f 1128->1132 1129->1125 1131 17f11 1129->1131 1131->1132
                                                                                                                          APIs
                                                                                                                          • InitializeCriticalSection.KERNEL32(0002756B,000153BD,00000000,00015445), ref: 0001764C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalInitializeSection
                                                                                                                          • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
                                                                                                                          • API String ID: 32694325-3635313340
                                                                                                                          • Opcode ID: 6688825e1c19649c8f689ced92489f03f213ea60d0b20cf348a5dae0afc4023d
                                                                                                                          • Instruction ID: cf954e9cbc6c47a03b63004ae4db1ff44e67a5c443a46327f8c16be674811da0
                                                                                                                          • Opcode Fuzzy Hash: 6688825e1c19649c8f689ced92489f03f213ea60d0b20cf348a5dae0afc4023d
                                                                                                                          • Instruction Fuzzy Hash: 2C3259B0C117299FEB658F5AC8887DEFAB4BB49305F5085EED60CA6210C7B50B89CF45
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000282BA Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 153COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1136 282ba-28303 call 3f8e0 1139 28309-28317 GetCurrentProcess call 50879 1136->1139 1140 2847c-28489 call 12195 1136->1140 1143 2831c-28329 1139->1143 1147 2848b 1140->1147 1148 28498-284aa call 3e06f 1140->1148 1145 283b7-283c5 GetTempPathW 1143->1145 1146 2832f-2833e GetWindowsDirectoryW 1143->1146 1150 283c7-283d1 GetLastError 1145->1150 1151 283ff-28411 UuidCreate 1145->1151 1152 28340-2834a GetLastError 1146->1152 1153 28378-28389 call 1337f 1146->1153 1154 28490-28497 call 50237 1147->1154 1156 283d3-283dc 1150->1156 1157 283de 1150->1157 1161 28413-28418 1151->1161 1162 2841a-2842f StringFromGUID2 1151->1162 1158 28357 1152->1158 1159 2834c-28355 1152->1159 1172 28395-283ab call 136a3 1153->1172 1173 2838b-28390 1153->1173 1154->1148 1156->1157 1166 283e0 1157->1166 1167 283e5-283fa call 13821 1157->1167 1168 28359 1158->1168 1169 2835e-28373 call 13821 1158->1169 1159->1158 1161->1154 1164 28431-2844b call 13821 1162->1164 1165 2844d-2846e call 11f13 1162->1165 1164->1154 1184 28470-28475 1165->1184 1185 28477 1165->1185 1166->1167 1167->1154 1168->1169 1169->1154 1172->1151 1186 283ad-283b2 1172->1186 1173->1154 1184->1154 1185->1140 1186->1154
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00015489), ref: 00028310
                                                                                                                            • Part of subcall function 00050879: OpenProcessToken.ADVAPI32(?,00000008,?,000153BD,00000000,?,?,?,?,?,?,?,0002769D,00000000), ref: 00050897
                                                                                                                            • Part of subcall function 00050879: GetLastError.KERNEL32(?,?,?,?,?,?,?,0002769D,00000000), ref: 000508A1
                                                                                                                            • Part of subcall function 00050879: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0002769D,00000000), ref: 0005092B
                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00028336
                                                                                                                          • GetLastError.KERNEL32 ref: 00028340
                                                                                                                          • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 000283BD
                                                                                                                          • GetLastError.KERNEL32 ref: 000283C7
                                                                                                                          • UuidCreate.RPCRT4(?), ref: 00028406
                                                                                                                          Strings
                                                                                                                          • Failed to concat Temp directory on windows path for working folder., xrefs: 000283AD
                                                                                                                          • Failed to get temp path for working folder., xrefs: 000283F5
                                                                                                                          • Temp\, xrefs: 00028395
                                                                                                                          • Failed to copy working folder path., xrefs: 0002848B
                                                                                                                          • Failed to create working folder guid., xrefs: 00028413
                                                                                                                          • %ls%ls\, xrefs: 00028458
                                                                                                                          • Failed to append bundle id on to temp path for working folder., xrefs: 00028470
                                                                                                                          • cache.cpp, xrefs: 00028364, 000283EB, 0002843C
                                                                                                                          • Failed to convert working folder guid into string., xrefs: 00028446
                                                                                                                          • Failed to get windows path for working folder., xrefs: 0002836E
                                                                                                                          • Failed to ensure windows path for working folder ended in backslash., xrefs: 0002838B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$Process$ChangeCloseCreateCurrentDirectoryFindNotificationOpenPathTempTokenUuidWindows
                                                                                                                          • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
                                                                                                                          • API String ID: 2898636500-819636856
                                                                                                                          • Opcode ID: b70581fa85963ef24c3c3c596a624deb7d77dc60d4a5f8bae1138b242aff6826
                                                                                                                          • Instruction ID: 058023a941a3ddf704e6d2cd9fabb39e0601e19b419087fa37a7e062801c2559
                                                                                                                          • Opcode Fuzzy Hash: b70581fa85963ef24c3c3c596a624deb7d77dc60d4a5f8bae1138b242aff6826
                                                                                                                          • Instruction Fuzzy Hash: F441D876E42335B7D730A6A09C09FDF73A89B04B11F108165BB08FB141EE79AE4487D5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000310FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1187 310fb-31127 CoInitializeEx 1188 3113b-31186 call 4f483 1187->1188 1189 31129-31136 call 50237 1187->1189 1194 311b0-311d2 call 4f4a4 1188->1194 1195 31188-311ab call 13821 call 50237 1188->1195 1196 3139e-313b0 call 3e06f 1189->1196 1204 311d8-311e0 1194->1204 1205 3128c-31297 SetEvent 1194->1205 1213 31397-31398 CoUninitialize 1195->1213 1209 311e6-311ec 1204->1209 1210 3138f-31392 call 4f4b4 1204->1210 1206 312d6-312e4 WaitForSingleObject 1205->1206 1207 31299-312a3 GetLastError 1205->1207 1216 312e6-312f0 GetLastError 1206->1216 1217 31318-31323 ResetEvent 1206->1217 1211 312b0 1207->1211 1212 312a5-312ae 1207->1212 1209->1210 1215 311f2-311fa 1209->1215 1210->1213 1218 312b2 1211->1218 1219 312b4-312c4 call 13821 1211->1219 1212->1211 1213->1196 1222 31274-31287 call 50237 1215->1222 1223 311fc-311fe 1215->1223 1224 312f2-312fb 1216->1224 1225 312fd 1216->1225 1220 31325-3132f GetLastError 1217->1220 1221 3135a-31360 1217->1221 1218->1219 1261 312c9-312d1 call 50237 1219->1261 1229 31331-3133a 1220->1229 1230 3133c 1220->1230 1234 31362-31365 1221->1234 1235 3138a 1221->1235 1222->1210 1232 31211-31214 1223->1232 1233 31200 1223->1233 1224->1225 1227 31301-31316 call 13821 1225->1227 1228 312ff 1225->1228 1227->1261 1228->1227 1229->1230 1240 31340-31355 call 13821 1230->1240 1241 3133e 1230->1241 1236 31216 1232->1236 1237 3126e 1232->1237 1243 31202-31204 1233->1243 1244 31206-3120f 1233->1244 1245 31367-31381 call 13821 1234->1245 1246 31386-31388 1234->1246 1235->1210 1248 31263-31268 1236->1248 1249 31232-31237 1236->1249 1250 31240-31245 1236->1250 1251 31247-3124c 1236->1251 1252 31255-3125a 1236->1252 1253 31224-31229 1236->1253 1254 3122b-31230 1236->1254 1255 3126a-3126c 1236->1255 1256 31239-3123e 1236->1256 1257 3124e-31253 1236->1257 1258 3121d-31222 1236->1258 1259 3125c-31261 1236->1259 1263 31270-31272 1237->1263 1240->1261 1241->1240 1243->1263 1244->1263 1245->1261 1246->1210 1248->1222 1249->1222 1250->1222 1251->1222 1252->1222 1253->1222 1254->1222 1255->1222 1256->1222 1257->1222 1258->1222 1259->1222 1261->1210 1263->1205 1263->1222
                                                                                                                          APIs
                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000), ref: 0003111D
                                                                                                                          • CoUninitialize.OLE32 ref: 00031398
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InitializeUninitialize
                                                                                                                          • String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
                                                                                                                          • API String ID: 3442037557-1168358783
                                                                                                                          • Opcode ID: 71acd74637a1cd9866f16c17088b72aa91a8dda091bf227eec7317f2239c3487
                                                                                                                          • Instruction ID: e81382d490b404ddd695acdb52d9113419120b64e99cc5cb9d88a2c0789a8fb8
                                                                                                                          • Opcode Fuzzy Hash: 71acd74637a1cd9866f16c17088b72aa91a8dda091bf227eec7317f2239c3487
                                                                                                                          • Instruction Fuzzy Hash: 03515936A41261E7DB3267948C05EFF365C9B49760F224325FE01FF2D2DA299D10C6E2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000142D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158stringCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1268 142d7-1432e InitializeCriticalSection * 2 call 24d05 * 2 1273 14452-1445c call 1b48b 1268->1273 1274 14334 1268->1274 1279 14461-14465 1273->1279 1275 1433a-14347 1274->1275 1277 14445-1444c 1275->1277 1278 1434d-14379 lstrlenW * 2 CompareStringW 1275->1278 1277->1273 1277->1275 1280 143cb-143f7 lstrlenW * 2 CompareStringW 1278->1280 1281 1437b-1439e lstrlenW 1278->1281 1282 14474-1447c 1279->1282 1283 14467-14473 call 50237 1279->1283 1280->1277 1284 143f9-1441c lstrlenW 1280->1284 1285 143a4-143a9 1281->1285 1286 1448a-1449f call 13821 1281->1286 1283->1282 1290 14422-14427 1284->1290 1291 144b6-144d0 call 13821 1284->1291 1285->1286 1292 143af-143bf call 129ce 1285->1292 1298 144a4-144ab 1286->1298 1290->1291 1295 1442d-1443d call 129ce 1290->1295 1291->1298 1301 143c5 1292->1301 1302 1447f-14488 1292->1302 1295->1302 1306 1443f 1295->1306 1303 144ac-144b4 call 50237 1298->1303 1301->1280 1302->1303 1303->1282 1306->1277
                                                                                                                          APIs
                                                                                                                          • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00015266,?,?,00000000,?,?), ref: 00014303
                                                                                                                          • InitializeCriticalSection.KERNEL32(000000D0,?,?,00015266,?,?,00000000,?,?), ref: 0001430C
                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00015266,?,?,00000000,?,?), ref: 00014352
                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00015266,?,?,00000000,?,?), ref: 0001435C
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00015266,?,?,00000000,?,?), ref: 00014370
                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00015266,?,?,00000000,?,?), ref: 00014380
                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00015266,?,?,00000000,?,?), ref: 000143D0
                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00015266,?,?,00000000,?,?), ref: 000143DA
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00015266,?,?,00000000,?,?), ref: 000143EE
                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00015266,?,?,00000000,?,?), ref: 000143FE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen$CompareCriticalInitializeSectionString
                                                                                                                          • String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
                                                                                                                          • API String ID: 3039292287-3209860532
                                                                                                                          • Opcode ID: 4315a1b3bb7e423a45637971ba2175f9ac3a8fe60be180964c06dc4e0493477f
                                                                                                                          • Instruction ID: b06677152d79937ea05f16ffa397a81dd4ab43a0985e7ea3ef5f5b0aee9b91b7
                                                                                                                          • Opcode Fuzzy Hash: 4315a1b3bb7e423a45637971ba2175f9ac3a8fe60be180964c06dc4e0493477f
                                                                                                                          • Instruction Fuzzy Hash: F051C371A40215BFD720EB68CC86FEB77ACEF04761F100116FA149B2A1DB74B990CAA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001C28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131fileCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1308 1c28f-1c2c1 1309 1c2c3-1c2e1 CreateFileW 1308->1309 1310 1c32b-1c347 GetCurrentProcess * 2 DuplicateHandle 1308->1310 1313 1c383-1c389 1309->1313 1314 1c2e7-1c2f1 GetLastError 1309->1314 1311 1c381 1310->1311 1312 1c349-1c353 GetLastError 1310->1312 1311->1313 1315 1c360 1312->1315 1316 1c355-1c35e 1312->1316 1319 1c393 1313->1319 1320 1c38b-1c391 1313->1320 1317 1c2f3-1c2fc 1314->1317 1318 1c2fe 1314->1318 1322 1c362 1315->1322 1323 1c367-1c37f call 13821 1315->1323 1316->1315 1317->1318 1324 1c300 1318->1324 1325 1c305-1c318 call 13821 1318->1325 1321 1c395-1c3a3 SetFilePointerEx 1319->1321 1320->1321 1326 1c3a5-1c3af GetLastError 1321->1326 1327 1c3da-1c3e0 1321->1327 1322->1323 1336 1c31d-1c326 call 50237 1323->1336 1324->1325 1325->1336 1331 1c3b1-1c3ba 1326->1331 1332 1c3bc 1326->1332 1333 1c3e2-1c3e6 call 31741 1327->1333 1334 1c3fe-1c404 1327->1334 1331->1332 1337 1c3c3-1c3d8 call 13821 1332->1337 1338 1c3be 1332->1338 1342 1c3eb-1c3ef 1333->1342 1336->1334 1346 1c3f6-1c3fd call 50237 1337->1346 1338->1337 1342->1334 1345 1c3f1 1342->1345 1345->1346 1346->1334
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0001C47F,00015405,?,?,00015445), ref: 0001C2D6
                                                                                                                          • GetLastError.KERNEL32(?,0001C47F,00015405,?,?,00015445,00015445,00000000,?,00000000), ref: 0001C2E7
                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0001C47F,00015405,?,?,00015445,00015445,00000000,?), ref: 0001C336
                                                                                                                          • GetCurrentProcess.KERNEL32(000000FF,00000000,?,0001C47F,00015405,?,?,00015445,00015445,00000000,?,00000000), ref: 0001C33C
                                                                                                                          • DuplicateHandle.KERNELBASE(00000000,?,0001C47F,00015405,?,?,00015445,00015445,00000000,?,00000000), ref: 0001C33F
                                                                                                                          • GetLastError.KERNEL32(?,0001C47F,00015405,?,?,00015445,00015445,00000000,?,00000000), ref: 0001C349
                                                                                                                          • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0001C47F,00015405,?,?,00015445,00015445,00000000,?,00000000), ref: 0001C39B
                                                                                                                          • GetLastError.KERNEL32(?,0001C47F,00015405,?,?,00015445,00015445,00000000,?,00000000), ref: 0001C3A5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                                                                                                                          • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
                                                                                                                          • API String ID: 2619879409-373955632
                                                                                                                          • Opcode ID: 7e126f2e23c87fd368d0a3dc4b87db2df2e9f0ed57cdc5d2eef1bb65ad15cbd6
                                                                                                                          • Instruction ID: ad68c11ac92338e4e212f85d9b3c58ef3751f657222117f09a81349a5134e5be
                                                                                                                          • Opcode Fuzzy Hash: 7e126f2e23c87fd368d0a3dc4b87db2df2e9f0ed57cdc5d2eef1bb65ad15cbd6
                                                                                                                          • Instruction Fuzzy Hash: 6A410B36580201ABE7209F198C49E9B3BA5EBC4B21F218419FE24DF281EB75D941DB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00052AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79libraryloaderCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1349 52af7-52b17 call 13838 1352 52c21-52c25 1349->1352 1353 52b1d-52b2b call 54a6c 1349->1353 1355 52c27-52c2a call 55636 1352->1355 1356 52c2f-52c35 1352->1356 1357 52b30-52b4f GetProcAddress 1353->1357 1355->1356 1359 52b56-52b6f GetProcAddress 1357->1359 1360 52b51 1357->1360 1361 52b76-52b8f GetProcAddress 1359->1361 1362 52b71 1359->1362 1360->1359 1363 52b96-52baf GetProcAddress 1361->1363 1364 52b91 1361->1364 1362->1361 1365 52bb6-52bcf GetProcAddress 1363->1365 1366 52bb1 1363->1366 1364->1363 1367 52bd6-52bef GetProcAddress 1365->1367 1368 52bd1 1365->1368 1366->1365 1369 52bf6-52c10 GetProcAddress 1367->1369 1370 52bf1 1367->1370 1368->1367 1371 52c17 1369->1371 1372 52c12 1369->1372 1370->1369 1371->1352 1372->1371
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00013838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00013877
                                                                                                                            • Part of subcall function 00013838: GetLastError.KERNEL32 ref: 00013881
                                                                                                                            • Part of subcall function 00054A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00054A9D
                                                                                                                          • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00052B41
                                                                                                                          • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00052B61
                                                                                                                          • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00052B81
                                                                                                                          • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00052BA1
                                                                                                                          • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00052BC1
                                                                                                                          • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00052BE1
                                                                                                                          • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00052C01
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$ErrorLast$DirectorySystem
                                                                                                                          • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
                                                                                                                          • API String ID: 2510051996-1735120554
                                                                                                                          • Opcode ID: 87b4ede0755e065cbe447bc57cb45ed7de7f7c22ee1e06502271418748026f35
                                                                                                                          • Instruction ID: 14fea4bf14b74d9bb42f5e9d752e83fd9aedb23ba8350f0e735b4c479400d75b
                                                                                                                          • Opcode Fuzzy Hash: 87b4ede0755e065cbe447bc57cb45ed7de7f7c22ee1e06502271418748026f35
                                                                                                                          • Instruction Fuzzy Hash: CA31A6B0D41608EFFB11AF60ED06B5A7BA0FB15749F01412AEA0C7A171EB7E1889DF54
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004FCAE Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 76libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 0004FCD6
                                                                                                                          • GetProcAddress.KERNEL32(SystemFunction041), ref: 0004FCE8
                                                                                                                          • GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 0004FD2B
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0004FD3F
                                                                                                                          • GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 0004FD77
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0004FD8B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$ErrorLast
                                                                                                                          • String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$`+9s$cryputil.cpp
                                                                                                                          • API String ID: 4214558900-213721895
                                                                                                                          • Opcode ID: c4b9fdca32ca81a942b531cde725eaa4a0f6b47dfdef53a3c79cec8b5b148c06
                                                                                                                          • Instruction ID: 852308b0eeb7f13d0a52425c0ba2743ae6f2b08f0b1c2e9484a53d6455734c8c
                                                                                                                          • Opcode Fuzzy Hash: c4b9fdca32ca81a942b531cde725eaa4a0f6b47dfdef53a3c79cec8b5b148c06
                                                                                                                          • Instruction Fuzzy Hash: 6B21C5B2E40B339BE7715B65AD097677991AB00B51F024131ED08BE1A0EB7DDD80CAD8
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00031741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,0001C3EB,?,00000000,?,0001C47F), ref: 00031778
                                                                                                                          • GetLastError.KERNEL32(?,0001C3EB,?,00000000,?,0001C47F,00015405,?,?,00015445,00015445,00000000,?,00000000), ref: 00031781
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateErrorEventLast
                                                                                                                          • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
                                                                                                                          • API String ID: 545576003-938279966
                                                                                                                          • Opcode ID: 4386097b88729e8364d7541adfca1dde083fb36878b08c7dc1fa5c4d527100b1
                                                                                                                          • Instruction ID: 525973a1654931cd44638ff092d161e8d05465ed813d86890cf24d81a0cb2d7a
                                                                                                                          • Opcode Fuzzy Hash: 4386097b88729e8364d7541adfca1dde083fb36878b08c7dc1fa5c4d527100b1
                                                                                                                          • Instruction Fuzzy Hash: 4721C577E4173676E33227A54C46EEB6A9CEF09BA0F120626BE00BB181EF54DC0085F5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000308C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 000308F2
                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0003090A
                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 0003090F
                                                                                                                          • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00030912
                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 0003091C
                                                                                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 0003098B
                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 00030998
                                                                                                                          Strings
                                                                                                                          • Failed to add virtual file pointer for cab container., xrefs: 00030971
                                                                                                                          • cabextract.cpp, xrefs: 00030940, 000309BC
                                                                                                                          • Failed to open cabinet file: %hs, xrefs: 000309C9
                                                                                                                          • Failed to duplicate handle to cab container., xrefs: 0003094A
                                                                                                                          • <the>.cab, xrefs: 000308EB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                                                                                                                          • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
                                                                                                                          • API String ID: 3030546534-3446344238
                                                                                                                          • Opcode ID: ebe6b600c3a7ef7f28bcafa5c6c2a5cc185ae253f43b51691da3ea12535a64a1
                                                                                                                          • Instruction ID: cfcda10e23628c43e655ac2b896c6579803a18e83babad3f6458fc710d748dda
                                                                                                                          • Opcode Fuzzy Hash: ebe6b600c3a7ef7f28bcafa5c6c2a5cc185ae253f43b51691da3ea12535a64a1
                                                                                                                          • Instruction Fuzzy Hash: AE312636A42635BBEB225B958C59F9FBF6CEF05761F110112FE04BB241D724AD00CAE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00026A57 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,00014E11,?,?), ref: 00026A77
                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,?,00014E11,?,?), ref: 00026A7D
                                                                                                                          • DuplicateHandle.KERNELBASE(00000000,?,?,00014E11,?,?), ref: 00026A80
                                                                                                                          • GetLastError.KERNEL32(?,?,00014E11,?,?), ref: 00026A8A
                                                                                                                          • CloseHandle.KERNEL32(000000FF,?,00014E11,?,?), ref: 00026B03
                                                                                                                          Strings
                                                                                                                          • core.cpp, xrefs: 00026AAE
                                                                                                                          • burn.filehandle.attached, xrefs: 00026AD0
                                                                                                                          • Failed to append the file handle to the command line., xrefs: 00026AEB
                                                                                                                          • Failed to duplicate file handle for attached container., xrefs: 00026AB8
                                                                                                                          • %ls -%ls=%u, xrefs: 00026AD7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentHandleProcess$CloseDuplicateErrorLast
                                                                                                                          • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
                                                                                                                          • API String ID: 4224961946-4196573879
                                                                                                                          • Opcode ID: 03b7854108ffd9d6c5300a509b35bb1f7e6f70d769bcaa6fb4af1016d4c79b21
                                                                                                                          • Instruction ID: f106598960899c24b4388e036caa55a43234e973e7b7d35780126b4b1439e4e5
                                                                                                                          • Opcode Fuzzy Hash: 03b7854108ffd9d6c5300a509b35bb1f7e6f70d769bcaa6fb4af1016d4c79b21
                                                                                                                          • Instruction Fuzzy Hash: 46118432940625FBCB20ABA49C09E9F7BA89F05731F104255FD20FB2D0D7759D008AE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00059A4B Relevance: 15.2, APIs: 10, Instructions: 158libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00059AA6
                                                                                                                          • GetLastError.KERNEL32 ref: 00059AB2
                                                                                                                          • DloadReleaseSectionWriteAccess.DELAYIMP ref: 00059AE1
                                                                                                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00059AF2
                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00059B0C
                                                                                                                          • GetProcAddress.KERNEL32(?,?), ref: 00059B74
                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 00059B80
                                                                                                                          • DloadReleaseSectionWriteAccess.DELAYIMP ref: 00059BAF
                                                                                                                          • RaiseException.KERNEL32(C06D007F,00000000,00000001,?,?,?), ref: 00059BC0
                                                                                                                          • DloadReleaseSectionWriteAccess.DELAYIMP ref: 00059BF7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AccessDloadReleaseSectionWrite$ErrorExceptionLastLibraryRaise$AddressFreeLoadProc
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 202095176-0
                                                                                                                          • Opcode ID: cea19a9985b7d1c463cab3c5efcef0efaa412fd87112eee969f981a540f99a2a
                                                                                                                          • Instruction ID: 06f452f52b37425519f1e939090f0f61ba662fbff988f5e3e229ae3b5779af6f
                                                                                                                          • Opcode Fuzzy Hash: cea19a9985b7d1c463cab3c5efcef0efaa412fd87112eee969f981a540f99a2a
                                                                                                                          • Instruction Fuzzy Hash: FF515C35A0021ADFFB11DFA4E994AAFB7B8FF48352B05016AED05A7251DB74DD08CA90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000532F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00053309
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00053325
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 000533AC
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 000533B7
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: StringVariant$AllocClearFreeInit
                                                                                                                          • String ID: `<u$xmlutil.cpp
                                                                                                                          • API String ID: 760788290-3482516102
                                                                                                                          • Opcode ID: bb2e3aedd130e1d3ef9777dbd4b3af02936b77c3687ce3a7d3fa76db8d39de5a
                                                                                                                          • Instruction ID: ec86a880a34b3390c5aadfd324685a696d98d655d411a0a144bf7de398bfe4a4
                                                                                                                          • Opcode Fuzzy Hash: bb2e3aedd130e1d3ef9777dbd4b3af02936b77c3687ce3a7d3fa76db8d39de5a
                                                                                                                          • Instruction Fuzzy Hash: 11218232901219AFCB21DF94C848EAFBBB9AF44752F150558FD05AB220CB319F08CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00050879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OpenProcessToken.ADVAPI32(?,00000008,?,000153BD,00000000,?,?,?,?,?,?,?,0002769D,00000000), ref: 00050897
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,0002769D,00000000), ref: 000508A1
                                                                                                                          • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,0002769D,00000000), ref: 000508D3
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,0002769D,00000000), ref: 000508EC
                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0002769D,00000000), ref: 0005092B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastToken$ChangeCloseFindInformationNotificationOpenProcess
                                                                                                                          • String ID: procutil.cpp
                                                                                                                          • API String ID: 3650908616-1178289305
                                                                                                                          • Opcode ID: 33e3dfb4b88f1d1f1574d5e1b6feaab73a2a671180c661c8671576b4c8c134e4
                                                                                                                          • Instruction ID: ab248465a2c85cdf421f76d0bb3ba5f15aec95b570b27095b8778e02748914a8
                                                                                                                          • Opcode Fuzzy Hash: 33e3dfb4b88f1d1f1574d5e1b6feaab73a2a671180c661c8671576b4c8c134e4
                                                                                                                          • Instruction Fuzzy Hash: 9021F636D0022AFBE7309B958805AAFBBF8EF00712F014056ED54EB291D7709E04DAD0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00026B13 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 00026B49
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00026BB9
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCreateFileHandle
                                                                                                                          • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
                                                                                                                          • API String ID: 3498533004-3263533295
                                                                                                                          • Opcode ID: 55af1b31a48837f934966bc17a2c9ae185d5dae4f83ef3c703d608a7b8cd2a28
                                                                                                                          • Instruction ID: 90feb1cf231aa941839e140e7d334cdd22ef98a93972c038031edef3ee0ec901
                                                                                                                          • Opcode Fuzzy Hash: 55af1b31a48837f934966bc17a2c9ae185d5dae4f83ef3c703d608a7b8cd2a28
                                                                                                                          • Instruction Fuzzy Hash: 78113432600624BBCB215AA8DC0AFAF7BADDF45B35F010351FE24EB2E1D771985186A1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00053565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00053574
                                                                                                                          • InterlockedIncrement.KERNEL32(0007B6C8), ref: 00053591
                                                                                                                          • CLSIDFromProgID.OLE32(Msxml2.DOMDocument,0007B6B8,?,?,?,?,?,?), ref: 000535AC
                                                                                                                          • CLSIDFromProgID.OLE32(MSXML.DOMDocument,0007B6B8,?,?,?,?,?,?), ref: 000535B8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FromProg$IncrementInitializeInterlocked
                                                                                                                          • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
                                                                                                                          • API String ID: 2109125048-2356320334
                                                                                                                          • Opcode ID: ffce216bde4f433966c745c241ab4c70dfcdfe1460b9f3b3fd1c804a446d5e04
                                                                                                                          • Instruction ID: 475f6daf250b97eaca8b6f918b2e3ea44aaaefeeac1721aceea25b17e57d369b
                                                                                                                          • Opcode Fuzzy Hash: ffce216bde4f433966c745c241ab4c70dfcdfe1460b9f3b3fd1c804a446d5e04
                                                                                                                          • Instruction Fuzzy Hash: ADF0E530B40B2557E7201B627D09B077DA5DB80FD7F102429EE09E6050F36CDA498AB0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00054A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00054A9D
                                                                                                                          • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00054ACA
                                                                                                                          • GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00054AF6
                                                                                                                          • GetLastError.KERNEL32(00000000,0005B7A0,?,00000000,?,00000000,?,00000000), ref: 00054B34
                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00054B65
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$Global$AllocFree
                                                                                                                          • String ID: fileutil.cpp
                                                                                                                          • API String ID: 1145190524-2967768451
                                                                                                                          • Opcode ID: b4ed7aae95929734e54a5e59286c2211533af18dc0210c59fb978f2b5f8fac1d
                                                                                                                          • Instruction ID: 350a383141b1043709405dd557cb714e1fdd57535cf83703b909fe59e32a3a67
                                                                                                                          • Opcode Fuzzy Hash: b4ed7aae95929734e54a5e59286c2211533af18dc0210c59fb978f2b5f8fac1d
                                                                                                                          • Instruction Fuzzy Hash: B131F436E40229ABD7629A958C41FEFBBF8EF44766F114115FD08EB241E730DC4486E5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00030A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00030B27
                                                                                                                          • GetLastError.KERNEL32(?,?,?), ref: 00030B31
                                                                                                                          Strings
                                                                                                                          • cabextract.cpp, xrefs: 00030B55
                                                                                                                          • Failed to move file pointer 0x%x bytes., xrefs: 00030B62
                                                                                                                          • Invalid seek type., xrefs: 00030ABD
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastPointer
                                                                                                                          • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
                                                                                                                          • API String ID: 2976181284-417918914
                                                                                                                          • Opcode ID: aef91f5d355e3b26d6768d0d64e0f79f134effd0e812819f90da86e51b4a766a
                                                                                                                          • Instruction ID: 2297431db2ca62e9cd58b3c53d6c632f967d756c71ee465468a68954fa748bc9
                                                                                                                          • Opcode Fuzzy Hash: aef91f5d355e3b26d6768d0d64e0f79f134effd0e812819f90da86e51b4a766a
                                                                                                                          • Instruction Fuzzy Hash: B531AE32A4161AEFCB12DFA8D894DAEB7A9FF04724F148225FD14A7251D331ED108B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00014115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,0002A0E8,00000000,00000000,?,00000000,000153BD,00000000,?,?,0001D5B5,?), ref: 00014123
                                                                                                                          • GetLastError.KERNEL32(?,0002A0E8,00000000,00000000,?,00000000,000153BD,00000000,?,?,0001D5B5,?,00000000,00000000), ref: 00014131
                                                                                                                          • CreateDirectoryW.KERNEL32(?,840F01E8,00015489,?,0002A0E8,00000000,00000000,?,00000000,000153BD,00000000,?,?,0001D5B5,?,00000000), ref: 0001419A
                                                                                                                          • GetLastError.KERNEL32(?,0002A0E8,00000000,00000000,?,00000000,000153BD,00000000,?,?,0001D5B5,?,00000000,00000000), ref: 000141A4
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateDirectoryErrorLast
                                                                                                                          • String ID: dirutil.cpp
                                                                                                                          • API String ID: 1375471231-2193988115
                                                                                                                          • Opcode ID: 8c83032ebb6fe2c93e3151d14b5a2023540665ca187645d8596a50c23739c35e
                                                                                                                          • Instruction ID: 7bbbae2b678b272db8bfaae9a185b2d3c39b2de6d7f7eba6e7eb3f69fb09bc86
                                                                                                                          • Opcode Fuzzy Hash: 8c83032ebb6fe2c93e3151d14b5a2023540665ca187645d8596a50c23739c35e
                                                                                                                          • Instruction Fuzzy Hash: 8A11D236A40335B6D7B11AE55C44BFBB6E4EF75B72F114021FD08EA260E3648CC19291
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000156A9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00016595,00016595,?,0001563D,?,?,00000000), ref: 000156E5
                                                                                                                          • GetLastError.KERNEL32(?,0001563D,?,?,00000000,?,?,00016595,?,00017F02,?,?,?,?,?), ref: 00015714
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareErrorLastString
                                                                                                                          • String ID: Failed to compare strings.$variable.cpp$version.dll
                                                                                                                          • API String ID: 1733990998-4228644734
                                                                                                                          • Opcode ID: 3f9019d436532f1e2625bcdeacd57f7824d868d6a8afed0feb6fa4cc4cb10b7a
                                                                                                                          • Instruction ID: d727ed88b7e83c3e5ce6be936eed48f03da05c2801831ea9355eb67432c6e948
                                                                                                                          • Opcode Fuzzy Hash: 3f9019d436532f1e2625bcdeacd57f7824d868d6a8afed0feb6fa4cc4cb10b7a
                                                                                                                          • Instruction Fuzzy Hash: F1210A36654A15EFC7108F58DD46DDEB7A4EB85722B210315FD24AF3C0E630ED418690
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000309EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0003140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00030A19,?,?,?), ref: 00031434
                                                                                                                            • Part of subcall function 0003140C: GetLastError.KERNEL32(?,00030A19,?,?,?), ref: 0003143E
                                                                                                                          • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00030A27
                                                                                                                          • GetLastError.KERNEL32 ref: 00030A31
                                                                                                                          Strings
                                                                                                                          • cabextract.cpp, xrefs: 00030A55
                                                                                                                          • Failed to read during cabinet extraction., xrefs: 00030A5F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLast$PointerRead
                                                                                                                          • String ID: Failed to read during cabinet extraction.$cabextract.cpp
                                                                                                                          • API String ID: 2170121939-2426083571
                                                                                                                          • Opcode ID: a148f66d9fa846766ce4946a8d7b67261fcb7682275e6c75ef2f2c28b1be3428
                                                                                                                          • Instruction ID: f9e619ef772ad0540d4c05cb66d3087e498124794871e36bc130fcbf19cc2e3b
                                                                                                                          • Opcode Fuzzy Hash: a148f66d9fa846766ce4946a8d7b67261fcb7682275e6c75ef2f2c28b1be3428
                                                                                                                          • Instruction Fuzzy Hash: 5711E136A01629BBCB229F95EC04E9F7BACFF09B60F114115FE04A7251C735A910CBE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00030A19,?,?,?), ref: 00031434
                                                                                                                          • GetLastError.KERNEL32(?,00030A19,?,?,?), ref: 0003143E
                                                                                                                          Strings
                                                                                                                          • cabextract.cpp, xrefs: 00031462
                                                                                                                          • Failed to move to virtual file pointer., xrefs: 0003146C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastPointer
                                                                                                                          • String ID: Failed to move to virtual file pointer.$cabextract.cpp
                                                                                                                          • API String ID: 2976181284-3005670968
                                                                                                                          • Opcode ID: a97e554ecef1a2b13195f72fd8796f15133c7be5e787978224bc9dfc56957e2a
                                                                                                                          • Instruction ID: 27fce6895f721933b1c48a792e32721eb0b4be65b32e65ce5e6a57379dd923d7
                                                                                                                          • Opcode Fuzzy Hash: a97e554ecef1a2b13195f72fd8796f15133c7be5e787978224bc9dfc56957e2a
                                                                                                                          • Instruction Fuzzy Hash: 1401A237A4063AB7D7225A969C08ACBBF69EF05771B118125FE286A151DB369C10CAE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00053EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00053F73
                                                                                                                          • GetLastError.KERNEL32 ref: 00053FD6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastRead
                                                                                                                          • String ID: fileutil.cpp
                                                                                                                          • API String ID: 1948546556-2967768451
                                                                                                                          • Opcode ID: fc64277b7268464dfb89aa50c38b79c932e6d89607832bb11735b8be11017ade
                                                                                                                          • Instruction ID: 3d30af980f243474ad8e019573d7fab9f0bc26548250bc64a88714c0928cfa3a
                                                                                                                          • Opcode Fuzzy Hash: fc64277b7268464dfb89aa50c38b79c932e6d89607832bb11735b8be11017ade
                                                                                                                          • Instruction Fuzzy Hash: B7315C71E002699BDB21CE54C840BEBB7B4EB44792F0040BAFE49A7240D7B59EC89B94
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00054E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,00053F9A,?,?,?), ref: 00054E5E
                                                                                                                          • GetLastError.KERNEL32(?,?,00053F9A,?,?,?), ref: 00054E68
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastWrite
                                                                                                                          • String ID: fileutil.cpp
                                                                                                                          • API String ID: 442123175-2967768451
                                                                                                                          • Opcode ID: aed1de730dd5d204c6dff255ebf27eb68c879301bc3f7b30c70762078fa32fd2
                                                                                                                          • Instruction ID: 357da31fa6dc8f17b522e14750a7adc04330adfb0403571c1012ffc0c6e30d88
                                                                                                                          • Opcode Fuzzy Hash: aed1de730dd5d204c6dff255ebf27eb68c879301bc3f7b30c70762078fa32fd2
                                                                                                                          • Instruction Fuzzy Hash: 96F03133A01229ABD7209E9ADD4AEEFBBADFB44762F514115FD04D7140D731AE4086E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0005490D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00028770,00000000,00000000,00000000,00000000,00000000), ref: 00054925
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00028770,00000000,00000000,00000000,00000000,00000000), ref: 0005492F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastPointer
                                                                                                                          • String ID: fileutil.cpp
                                                                                                                          • API String ID: 2976181284-2967768451
                                                                                                                          • Opcode ID: 4b391118a538eab91d789c5ef7737f5d32a483318b94c50285d1203884bef987
                                                                                                                          • Instruction ID: 6ec9ef28ffd57c2d0a1df3f6552241cb245ed807d91e529e5f309cba33f52412
                                                                                                                          • Opcode Fuzzy Hash: 4b391118a538eab91d789c5ef7737f5d32a483318b94c50285d1203884bef987
                                                                                                                          • Instruction Fuzzy Hash: 7AF08176A00229AB9B218F85DC0A9EB7FA8EF05761F014154BD45AB251E731DC50DBE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00013838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00013877
                                                                                                                          • GetLastError.KERNEL32 ref: 00013881
                                                                                                                          • LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 000138EA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DirectoryErrorLastLibraryLoadSystem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1230559179-0
                                                                                                                          • Opcode ID: bc85e89340d8b680d20c6f37108fc966d986c6c733c6ba67198c650b882b9b8d
                                                                                                                          • Instruction ID: 4faa65e75da25ea01b131fb9f2035d2663ec8d1261e594363f183d90cbc99aba
                                                                                                                          • Opcode Fuzzy Hash: bc85e89340d8b680d20c6f37108fc966d986c6c733c6ba67198c650b882b9b8d
                                                                                                                          • Instruction Fuzzy Hash: DF21D3B2D0132DA7DB209B648C45FDB77AC9B44710F1101A1BE18FB242EA74EE8487E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00013A16 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00013BB6,00000000,?,00011474,00000000,80004005,00000000,80004005,00000000,000001C7,?,000113B8), ref: 00013A20
                                                                                                                          • RtlFreeHeap.NTDLL(00000000,?,00013BB6,00000000,?,00011474,00000000,80004005,00000000,80004005,00000000,000001C7,?,000113B8,000001C7,00000100), ref: 00013A27
                                                                                                                          • GetLastError.KERNEL32(?,00013BB6,00000000,?,00011474,00000000,80004005,00000000,80004005,00000000,000001C7,?,000113B8,000001C7,00000100,?), ref: 00013A31
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$ErrorFreeLastProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 406640338-0
                                                                                                                          • Opcode ID: 853b6ec44a6fbdf95747a95aa87d28e11201464b3cab0c9907e6c0b7fddb4f63
                                                                                                                          • Instruction ID: 104edab067e8d8ac8e7f4d150641f6322df872945ea4bcb756aa4b798c36d0fc
                                                                                                                          • Opcode Fuzzy Hash: 853b6ec44a6fbdf95747a95aa87d28e11201464b3cab0c9907e6c0b7fddb4f63
                                                                                                                          • Instruction Fuzzy Hash: 68D0C233A006399783701BE65C0C9AB7F98EF00AB27450020FD44D6220D729DC0086E5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00050F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0007AAA0,00000000,?,000557E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00050F80
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Open
                                                                                                                          • String ID: regutil.cpp
                                                                                                                          • API String ID: 71445658-955085611
                                                                                                                          • Opcode ID: 176b43dbbe615cf2d0cc9eab565f092f4fe1f5ddd3b6d621cd3a507db11c9c1f
                                                                                                                          • Instruction ID: 69c9806d6b619f7def72fee3cf9a5d11dcf8b129aa05ed6b53473849ce01d701
                                                                                                                          • Opcode Fuzzy Hash: 176b43dbbe615cf2d0cc9eab565f092f4fe1f5ddd3b6d621cd3a507db11c9c1f
                                                                                                                          • Instruction Fuzzy Hash: 2EF02B3370123677DB3005568C06BAFBE89EB847B2F154535BD4AAF650E6258C0497F0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00013AF0 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetProcessHeap.KERNEL32(?,000001C7,?,?,0001226D,?,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000), ref: 00013B04
                                                                                                                          • RtlReAllocateHeap.NTDLL(00000000,?,0001226D,?,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013B0B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$AllocateProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1357844191-0
                                                                                                                          • Opcode ID: d2802301012e330d548bde363e7f5fdda66a7d749dd600e637114cf2eb989282
                                                                                                                          • Instruction ID: 2f69f360c8ef939a31d7c52d8e182831835d9ddf456c2ee2cda61b2887418a95
                                                                                                                          • Opcode Fuzzy Hash: d2802301012e330d548bde363e7f5fdda66a7d749dd600e637114cf2eb989282
                                                                                                                          • Instruction Fuzzy Hash: F0D0C93215470DAB9F405FE8DC0DDAB3BACEB586027448405B915C2120C73DE4209A64
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000535C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 000535F8
                                                                                                                            • Part of subcall function 0005304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00053609,00000000,?,00000000), ref: 00053069
                                                                                                                            • Part of subcall function 0005304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0003C025,?,00015405,?,00000000,?), ref: 00053075
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorHandleInitLastModuleVariant
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 52713655-0
                                                                                                                          • Opcode ID: a435c58ba5583bc8f3b4d9137af27dde571e39978928b5888fae5f05e7ebbbab
                                                                                                                          • Instruction ID: 4f39657999b9be14366a64683c052560e044eb4661dbce75095946a412634c9d
                                                                                                                          • Opcode Fuzzy Hash: a435c58ba5583bc8f3b4d9137af27dde571e39978928b5888fae5f05e7ebbbab
                                                                                                                          • Instruction Fuzzy Hash: D7312F76E00229ABCB11DFA8C884ADFB7F8EF08751F01456AED15BB311D6759D048BA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00055870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegCloseKey.ADVAPI32(80070490,00000000,80070490,0007AAA0,00000000,80070490,?,?,00028B19,WiX\Burn,PackageCache,00000000,0007AAA0,00000000,00000000,80070490), ref: 000558CA
                                                                                                                            • Part of subcall function 000510B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0005112B
                                                                                                                            • Part of subcall function 000510B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00051163
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue$Close
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1979452859-0
                                                                                                                          • Opcode ID: f0e2c0e6110ae54ee202f4e3748841d47df2c6a1895f4d0ed58982c41a292584
                                                                                                                          • Instruction ID: ca572d131405dc539827df93e36fbdb6dd1a6500fc40217dfae70df91c21a2fc
                                                                                                                          • Opcode Fuzzy Hash: f0e2c0e6110ae54ee202f4e3748841d47df2c6a1895f4d0ed58982c41a292584
                                                                                                                          • Instruction Fuzzy Hash: 5211C23680062AEF8B21AE94DC619FFBBA8EF04323B154139ED0177211CB324E64D7D1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000134B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00028BD3,0000001C,80070490,00000000,00000000,80070490), ref: 000134D5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FolderPath
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1514166925-0
                                                                                                                          • Opcode ID: 04f1451522e846465682f922912248446d60ecdda991825fb3b7d38496b1611c
                                                                                                                          • Instruction ID: b30601a5fbe405d47a98ecf2618e51c62e87945c1ec0d84e0c9b28bf01638a69
                                                                                                                          • Opcode Fuzzy Hash: 04f1451522e846465682f922912248446d60ecdda991825fb3b7d38496b1611c
                                                                                                                          • Instruction Fuzzy Hash: 4FE012722012247BEB122EA15C05DEB7B9CAF053547008061BE40D6011E766E69087F4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000114B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,000121A8,?,00000000,?,00000000,?,0001390C,00000000,?,00000104), ref: 000114E8
                                                                                                                            • Part of subcall function 00013BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,000121CC,000001C7,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013BDB
                                                                                                                            • Part of subcall function 00013BD3: HeapSize.KERNEL32(00000000,?,000121CC,000001C7,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013BE2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$ProcessSizelstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3492610842-0
                                                                                                                          • Opcode ID: ed99a9a1f1a1fc3bc5929827bdc9bfd7a3d8c85d87cb1971746f1847faef455c
                                                                                                                          • Instruction ID: 5db8b00538388529babe5212da07f2facef696d2132df8ca838192cc2ab6ddf1
                                                                                                                          • Opcode Fuzzy Hash: ed99a9a1f1a1fc3bc5929827bdc9bfd7a3d8c85d87cb1971746f1847faef455c
                                                                                                                          • Instruction Fuzzy Hash: 6D01F933200629EBCF255E54ECC4FDE77A6AF84B54F114215FB265B151D731ADC086E4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Non-executed Functions

                                                                                                                          Function 0001A8F1 Relevance: 172.2, APIs: 29, Strings: 69, Instructions: 688COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0001B11C
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,0005CA9C,000000FF,DirectorySearch,000000FF,0005CA9C,Condition,feclient.dll,0005CA9C,Variable,?,0005CA9C,0005CA9C,?,?), ref: 0001AA29
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 0001AA7E
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,path,000000FF), ref: 0001AA9A
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,FileSearch,000000FF), ref: 0001AABE
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 0001AB11
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 0001AB2B
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,RegistrySearch,000000FF), ref: 0001AB53
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCR,000000FF,?,Root,?), ref: 0001AB91
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCU,000000FF), ref: 0001ABB0
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKLM,000000FF), ref: 0001ABCF
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Win64,msi.dll,?,Type,?,?,Value,version.dll,?), ref: 0001AC8D
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,value,000000FF), ref: 0001ACA7
                                                                                                                            • Part of subcall function 000532F3: VariantInit.OLEAUT32(?), ref: 00053309
                                                                                                                            • Part of subcall function 000532F3: SysAllocString.OLEAUT32(?), ref: 00053325
                                                                                                                            • Part of subcall function 000532F3: VariantClear.OLEAUT32(?), ref: 000533AC
                                                                                                                            • Part of subcall function 000532F3: SysFreeString.OLEAUT32(00000000), ref: 000533B7
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,numeric,000000FF,?,VariableType,?,?,ExpandEnvironment,cabinet.dll), ref: 0001AD06
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,string,000000FF), ref: 0001AD28
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 0001AD48
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,directory,000000FF), ref: 0001AE20
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0001AFFE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$Compare$Free$HeapVariant$AllocAllocateClearInitProcess
                                                                                                                          • String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch$ExpandEnvironment$Failed to allocate memory for search structs.$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @FeatureId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FeatureId$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiFeatureSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$`<u$assignment$cabinet.dll$clbcatq.dll$comres.dll$directory$exists$feclient.dll$keyPath$language$msi.dll$numeric$path$search.cpp$state$string$value$version$version.dll$wininet.dll
                                                                                                                          • API String ID: 2748437055-56916464
                                                                                                                          • Opcode ID: e7b8c34e9969810670cae1ba64250201bf44344baab4969fc87cbc1aeba9dd60
                                                                                                                          • Instruction ID: 27da0bb68fafbb29d2f398a5115472426ecf8ab1c6913173e5ad65090098b851
                                                                                                                          • Opcode Fuzzy Hash: e7b8c34e9969810670cae1ba64250201bf44344baab4969fc87cbc1aeba9dd60
                                                                                                                          • Instruction Fuzzy Hash: D322F830E49666BADB318A94CC46EEF7A64AF05771F300350FE30BA1D1DB719E84D691
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00013CC4 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 320fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00013D40
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00013D53
                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 00013D9E
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00013DA8
                                                                                                                          • GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 00013DF6
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00013E00
                                                                                                                          • FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 00013E53
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00013E64
                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 00013F3E
                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,?), ref: 00013F52
                                                                                                                          • GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 00013F79
                                                                                                                          • MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 00013F9C
                                                                                                                          • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00013FB5
                                                                                                                          • FindNextFileW.KERNEL32(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 00013FC5
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00013FDA
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00014009
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0001402B
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0001404D
                                                                                                                          • RemoveDirectoryW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00014064
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0001406E
                                                                                                                          • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00014095
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000140B0
                                                                                                                          • FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 000140E6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
                                                                                                                          • String ID: *.*$DEL$dirutil.cpp
                                                                                                                          • API String ID: 1544372074-1252831301
                                                                                                                          • Opcode ID: b8c7c78844a70b2d4566d00761f66524048dee949c25d168df2ad6696e7a45cf
                                                                                                                          • Instruction ID: 88e56eb5642e936fbf20f001f3828e0aaa57048733256830d4bc4e53b136d178
                                                                                                                          • Opcode Fuzzy Hash: b8c7c78844a70b2d4566d00761f66524048dee949c25d168df2ad6696e7a45cf
                                                                                                                          • Instruction Fuzzy Hash: 65B1DC73D016399BDB715A658C05BEAB6F9AF44720F0102A5EE08BB190DB769ED0CED0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000341EA Relevance: 43.0, Strings: 34, Instructions: 498COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          • Failed to perform minor upgrade of MSI package., xrefs: 00034638
                                                                                                                          • Failed to install MSI package., xrefs: 00034746
                                                                                                                          • Failed to add obfuscated properties to argument string., xrefs: 00034497
                                                                                                                          • Failed to add ADMIN property on admin install., xrefs: 0003471E
                                                                                                                          • REINSTALL=ALL, xrefs: 000345D3, 0003464D
                                                                                                                          • Failed to add reboot suppression property on install., xrefs: 000345BB
                                                                                                                          • Failed to add feature action properties to obfuscated argument string., xrefs: 000344DB
                                                                                                                          • Failed to add properties to argument string., xrefs: 00034463
                                                                                                                          • Failed to add patch properties to argument string., xrefs: 000344FD
                                                                                                                          • Failed to add reinstall all property on minor upgrade., xrefs: 000345EA
                                                                                                                          • Failed to uninstall MSI package., xrefs: 000347EF
                                                                                                                          • msasn1.dll, xrefs: 0003440B
                                                                                                                          • Failed to initialize external UI handler., xrefs: 000343F4
                                                                                                                          • Failed to enable logging for package: %ls to: %ls, xrefs: 0003441F
                                                                                                                          • REINSTALLMODE="vomus" REBOOT=ReallySuppress, xrefs: 000345F5
                                                                                                                          • %ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress, xrefs: 00034687
                                                                                                                          • Failed to add the list of dependencies to ignore to the properties., xrefs: 000346CA
                                                                                                                          • Failed to get cached path for package: %ls, xrefs: 0003434F
                                                                                                                          • IGNOREDEPENDENCIES, xrefs: 000346A5, 00034784
                                                                                                                          • Failed to add reinstall mode and reboot suppression properties on repair., xrefs: 0003469B
                                                                                                                          • Failed to run maintanance mode for MSI package., xrefs: 000346F6
                                                                                                                          • VersionString, xrefs: 0003428E, 000342EF
                                                                                                                          • %ls %ls=ALL, xrefs: 000346B6, 00034795
                                                                                                                          • Failed to add patch properties to obfuscated argument string., xrefs: 0003451F
                                                                                                                          • WixBundleExecutePackageAction, xrefs: 000343B7, 000348B4
                                                                                                                          • Failed to add reboot suppression property on uninstall., xrefs: 0003477D
                                                                                                                          • WixBundleExecutePackageCacheFolder, xrefs: 0003436A, 000348A4
                                                                                                                          • feclient.dll, xrefs: 000342C5, 0003434D, 0003441D, 0003454B, 000347D8
                                                                                                                          • Failed to add feature action properties to argument string., xrefs: 000344B9
                                                                                                                          • REBOOT=ReallySuppress, xrefs: 000345A0, 0003476C
                                                                                                                          • Failed to add reinstall mode and reboot suppression properties on minor upgrade., xrefs: 0003460C
                                                                                                                          • crypt32.dll, xrefs: 0003440A
                                                                                                                          • Failed to build MSI path., xrefs: 0003439D
                                                                                                                          • ACTION=ADMIN, xrefs: 00034709
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: ACTION=ADMIN$ REBOOT=ReallySuppress$ REINSTALL=ALL$ REINSTALLMODE="vomus" REBOOT=ReallySuppress$%ls %ls=ALL$%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress$Failed to add ADMIN property on admin install.$Failed to add feature action properties to argument string.$Failed to add feature action properties to obfuscated argument string.$Failed to add obfuscated properties to argument string.$Failed to add patch properties to argument string.$Failed to add patch properties to obfuscated argument string.$Failed to add properties to argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add reinstall all property on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on repair.$Failed to add the list of dependencies to ignore to the properties.$Failed to build MSI path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for package: %ls$Failed to initialize external UI handler.$Failed to install MSI package.$Failed to perform minor upgrade of MSI package.$Failed to run maintanance mode for MSI package.$Failed to uninstall MSI package.$IGNOREDEPENDENCIES$VersionString$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$crypt32.dll$feclient.dll$msasn1.dll
                                                                                                                          • API String ID: 0-2033600224
                                                                                                                          • Opcode ID: d0d308c74389be80ff390e65111a41a09fe6a92a1a61f9d8df95bca4e1ff03aa
                                                                                                                          • Instruction ID: c684e35c9bb4ac598b845d78f3eaa16dc1a15dbccd12fc8d95a7719a07de07fe
                                                                                                                          • Opcode Fuzzy Hash: d0d308c74389be80ff390e65111a41a09fe6a92a1a61f9d8df95bca4e1ff03aa
                                                                                                                          • Instruction Fuzzy Hash: A2029571940625AFDB229F54CC45FEE77AEFF55700F0001A5F908AB252DB72AEA4CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00051719 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 337COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 000517B1
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000517BB
                                                                                                                          • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00051808
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0005180E
                                                                                                                          • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00051848
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0005184E
                                                                                                                          • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 0005188E
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00051894
                                                                                                                          • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 000518D4
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000518DA
                                                                                                                          • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 0005191A
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00051920
                                                                                                                          • SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 00051A11
                                                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 00051A4B
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00051A55
                                                                                                                          • SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 00051A8D
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00051A97
                                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00051AD0
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00051ADA
                                                                                                                          • CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 00051B18
                                                                                                                          • LocalFree.KERNEL32(?), ref: 00051B2E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
                                                                                                                          • String ID: srputil.cpp
                                                                                                                          • API String ID: 267631441-4105181634
                                                                                                                          • Opcode ID: 4d26ebf6afd7a3f3279ccd8c789649b8016ea754a605b0f6210a2f71e7b5e6e5
                                                                                                                          • Instruction ID: fe15bc58b1e16902bff737b34079aa9238a5addcb088a5048e25a027394ee9c9
                                                                                                                          • Opcode Fuzzy Hash: 4d26ebf6afd7a3f3279ccd8c789649b8016ea754a605b0f6210a2f71e7b5e6e5
                                                                                                                          • Instruction Fuzzy Hash: 34C17376D4123DABEB318F959C48BDFFAB8AF44751F0105AAAD04B7240E7749E448EA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003C332 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 376COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          • Failed to append relation type to uninstall arguments for related bundle package, xrefs: 0003C644
                                                                                                                          • Failed to copy install arguments for related bundle package, xrefs: 0003C584
                                                                                                                          • Failed to append relation type to install arguments for related bundle package, xrefs: 0003C5A9
                                                                                                                          • Failed to copy filename for pseudo bundle., xrefs: 0003C417
                                                                                                                          • -%ls, xrefs: 0003C34C
                                                                                                                          • Failed to copy display name for pseudo bundle., xrefs: 0003C74F
                                                                                                                          • pseudobundle.cpp, xrefs: 0003C379, 0003C3B2, 0003C4A1, 0003C6D2
                                                                                                                          • Failed to copy cache id for pseudo bundle., xrefs: 0003C55F
                                                                                                                          • Failed to allocate memory for dependency providers., xrefs: 0003C6DE
                                                                                                                          • Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 0003C385
                                                                                                                          • Failed to copy key for pseudo bundle payload., xrefs: 0003C3F3
                                                                                                                          • Failed to append relation type to repair arguments for related bundle package, xrefs: 0003C5F1
                                                                                                                          • Failed to copy download source for pseudo bundle., xrefs: 0003C469
                                                                                                                          • Failed to allocate memory for pseudo bundle payload hash., xrefs: 0003C4AD
                                                                                                                          • Failed to copy repair arguments for related bundle package, xrefs: 0003C5D0
                                                                                                                          • Failed to copy version for pseudo bundle., xrefs: 0003C72D
                                                                                                                          • Failed to copy uninstall arguments for related bundle package, xrefs: 0003C623
                                                                                                                          • Failed to copy local source path for pseudo bundle., xrefs: 0003C43B
                                                                                                                          • Failed to copy key for pseudo bundle., xrefs: 0003C542
                                                                                                                          • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 0003C3BE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$AllocateProcess
                                                                                                                          • String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
                                                                                                                          • API String ID: 1357844191-2832335422
                                                                                                                          • Opcode ID: 2976b549a79746951e447f75ea1e8f00654388876a065ace69810ded868d0649
                                                                                                                          • Instruction ID: e5962025d0b97190cbe9053be5a92a9fbae5c723ed35082f4966c2ac533e89b6
                                                                                                                          • Opcode Fuzzy Hash: 2976b549a79746951e447f75ea1e8f00654388876a065ace69810ded868d0649
                                                                                                                          • Instruction Fuzzy Hash: 96C1BE71A00616BBEB66DF24C891EAA76EDBF08710F004129FD15FB241DB71EC509B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00024EDF Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 165pipeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00024F0D
                                                                                                                          • GetLastError.KERNEL32(?,00000000,?,?,0001452F,?), ref: 00024F16
                                                                                                                          • CreateNamedPipeW.KERNEL32(000000FF,lid payload: %2!ls!, reason: 0x%3!x!,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,0001452F,?), ref: 00024FB8
                                                                                                                          • GetLastError.KERNEL32(?,0001452F,?), ref: 00024FC5
                                                                                                                          • CreateNamedPipeW.KERNEL32(000000FF,lid payload: %2!ls!, reason: 0x%3!x!,00000000,00000001,00010000,00010000,00000001,00000000,?,?,?,?,?,?,?,0001452F), ref: 00025040
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,0001452F,?), ref: 0002504B
                                                                                                                          • CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,0001452F,?), ref: 0002508B
                                                                                                                          • LocalFree.KERNEL32(00000000,?,0001452F,?), ref: 000250B9
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
                                                                                                                          • String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$lid payload: %2!ls!, reason: 0x%3!x!$pipe.cpp
                                                                                                                          • API String ID: 1214480349-891656142
                                                                                                                          • Opcode ID: 069119e02e29383c5cb684142c0726d93a82e042bd45ac78981308fb7d432200
                                                                                                                          • Instruction ID: b07655ad92a5b9a985a5e0bef3769ff80701f488b8051fc55acd4f422844a806
                                                                                                                          • Opcode Fuzzy Hash: 069119e02e29383c5cb684142c0726d93a82e042bd45ac78981308fb7d432200
                                                                                                                          • Instruction Fuzzy Hash: CA51C372D40735FBDB219B94DD86BEEBAA4AF04721F110125FE00BA2D1D3B55E408AD5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000145EE Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 141sleepshutdownCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 00014617
                                                                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 0001461E
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00014628
                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00014678
                                                                                                                          • GetLastError.KERNEL32 ref: 00014682
                                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 000146C6
                                                                                                                          • GetLastError.KERNEL32 ref: 000146D0
                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 0001470C
                                                                                                                          • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 0001471D
                                                                                                                          • GetLastError.KERNEL32 ref: 00014727
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0001477D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
                                                                                                                          • String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
                                                                                                                          • API String ID: 2241679041-1583736410
                                                                                                                          • Opcode ID: 932c797f5f2c387101af94f9ae26e7b38df478de44312d54030c91077c58c9c4
                                                                                                                          • Instruction ID: 291118f3a9b1ee36a46fdbe7eb83c1d47b4fec06190f7035f6b63ccd7c42e9a4
                                                                                                                          • Opcode Fuzzy Hash: 932c797f5f2c387101af94f9ae26e7b38df478de44312d54030c91077c58c9c4
                                                                                                                          • Instruction Fuzzy Hash: 9B411A77E40725ABE7209BA58C4ABFF76A8AB01756F010125FF00BB1E0D7299C8486E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004FA62 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 173encryptionfileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,00029F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 0004FAC7
                                                                                                                          • GetLastError.KERNEL32 ref: 0004FAD1
                                                                                                                          • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 0004FB0E
                                                                                                                          • GetLastError.KERNEL32 ref: 0004FB18
                                                                                                                          • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 0004FB5F
                                                                                                                          • ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 0004FB83
                                                                                                                          • GetLastError.KERNEL32 ref: 0004FB8D
                                                                                                                          • CryptDestroyHash.ADVAPI32(00000000), ref: 0004FBCA
                                                                                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0004FBE1
                                                                                                                          • GetLastError.KERNEL32 ref: 0004FBFC
                                                                                                                          • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 0004FC34
                                                                                                                          • GetLastError.KERNEL32 ref: 0004FC3E
                                                                                                                          • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 0004FC77
                                                                                                                          • GetLastError.KERNEL32 ref: 0004FC85
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
                                                                                                                          • String ID: cryputil.cpp
                                                                                                                          • API String ID: 3955742341-2185294990
                                                                                                                          • Opcode ID: 27723e2308a2dca87cc8272a9f94acf3cd17813a80303d1117398c637bc4b2d8
                                                                                                                          • Instruction ID: 0e91f2e705e5af83cc5d8f49a3c6d4b6b632d04b632865d16e924f91aa9e17bc
                                                                                                                          • Opcode Fuzzy Hash: 27723e2308a2dca87cc8272a9f94acf3cd17813a80303d1117398c637bc4b2d8
                                                                                                                          • Instruction Fuzzy Hash: 5051D7B7D4023AABE7318A51CD05BFB76A4EF04751F0141B5BE48FB180E774AD808AE9
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00029E9E Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          • Failed to move verified file to complete payload path: %ls, xrefs: 0002A06C
                                                                                                                          • Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 00029FCB
                                                                                                                          • moving, xrefs: 0002A029
                                                                                                                          • Failed to reset permissions on unverified cached payload: %ls, xrefs: 00029FF1
                                                                                                                          • Failed to get cached path for package with cache id: %ls, xrefs: 00029EC8
                                                                                                                          • Failed to concat complete cached path., xrefs: 00029EF4
                                                                                                                          • Failed to create unverified path., xrefs: 00029F6E
                                                                                                                          • copying, xrefs: 0002A030, 0002A038
                                                                                                                          • Failed to transfer working path to unverified path for payload: %ls., xrefs: 00029FA4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
                                                                                                                          • API String ID: 0-1289240508
                                                                                                                          • Opcode ID: 86a8477c7eba81d20f1fdbea63843104fb725a450f3280329d7b72651818e03c
                                                                                                                          • Instruction ID: 4ee13da9ae9bde562bd52b7af29263fdff003a595be8f4b34fb0a008547add41
                                                                                                                          • Opcode Fuzzy Hash: 86a8477c7eba81d20f1fdbea63843104fb725a450f3280329d7b72651818e03c
                                                                                                                          • Instruction Fuzzy Hash: 67517331940129FBDF226B90DD42FEE7B76AF04701F104051FD00B61A2EB775EA4AB85
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000162AA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetVersionExW.KERNEL32(0000011C), ref: 000162F8
                                                                                                                          • GetLastError.KERNEL32 ref: 00016302
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastVersion
                                                                                                                          • String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
                                                                                                                          • API String ID: 305913169-1971907631
                                                                                                                          • Opcode ID: 6eff3bb942c1c4dca28e4b62599bacceb56d7799eb765b3e94f3902baccb70cd
                                                                                                                          • Instruction ID: 521f8e04dacca4d339342e1ea88be5d7dd7e1f56fb71b443165df91d79e754db
                                                                                                                          • Opcode Fuzzy Hash: 6eff3bb942c1c4dca28e4b62599bacceb56d7799eb765b3e94f3902baccb70cd
                                                                                                                          • Instruction Fuzzy Hash: 5541B5B2E00228ABDB309B59CC45FEFBBB8EB85710F00059AF515E7181D6359EC1CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00016037 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSystemTime.KERNEL32(?), ref: 00016062
                                                                                                                          • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00016076
                                                                                                                          • GetLastError.KERNEL32 ref: 00016088
                                                                                                                          • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 000160DC
                                                                                                                          • GetLastError.KERNEL32 ref: 000160E6
                                                                                                                          Strings
                                                                                                                          • Failed to set variant value., xrefs: 00016124
                                                                                                                          • Failed to get the required buffer length for the Date., xrefs: 000160AD
                                                                                                                          • Failed to allocate the buffer for the Date., xrefs: 000160C4
                                                                                                                          • Failed to get the Date., xrefs: 0001610B
                                                                                                                          • variable.cpp, xrefs: 000160A3, 00016101
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DateErrorFormatLast$SystemTime
                                                                                                                          • String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
                                                                                                                          • API String ID: 2700948981-3682088697
                                                                                                                          • Opcode ID: b4c81d74da74ca19db5299867948034cd6afdfab04b066ffd36e0e2753096a89
                                                                                                                          • Instruction ID: 49251e1b4c4c2806a8b5ea9e1c3c336313ab29226c525cc920b3a8a6cac176b4
                                                                                                                          • Opcode Fuzzy Hash: b4c81d74da74ca19db5299867948034cd6afdfab04b066ffd36e0e2753096a89
                                                                                                                          • Instruction Fuzzy Hash: AC31A936A407297BDB229BE98C42EFF7AA9EB04711F110525FF00F7181DA669D8486E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004FEC6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132threadtimeCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(0007B5FC,00000000,?,?,?,?,000312CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 0004FEF4
                                                                                                                          • GetCurrentProcessId.KERNEL32(00000000,?,000312CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 0004FF04
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0004FF0D
                                                                                                                          • GetLocalTime.KERNEL32(8007139F,?,000312CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 0004FF23
                                                                                                                          • LeaveCriticalSection.KERNEL32(0007B5FC,000312CF,?,00000000,0000FDE9,?,000312CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 0005001A
                                                                                                                          Strings
                                                                                                                          • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 0004FFC0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
                                                                                                                          • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
                                                                                                                          • API String ID: 296830338-59366893
                                                                                                                          • Opcode ID: 9ac82e1840982d8f5c910b836cbfefbbc9beed010abce79ed70dede118bdd049
                                                                                                                          • Instruction ID: 6a4200e63818ff3ddbdaff048ca711529d35760c403b41841ba43d30035d2c35
                                                                                                                          • Opcode Fuzzy Hash: 9ac82e1840982d8f5c910b836cbfefbbc9beed010abce79ed70dede118bdd049
                                                                                                                          • Instruction Fuzzy Hash: F941AF71D0061AABEB619FA4CC04BBFB6B8EF08712F004435FA05E6290D73D9D85DBA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00029B43 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindFirstFileW.KERNEL32(?,?,00000000,?,*.*,?,?,?,00000000,.unverified,?), ref: 00029BF2
                                                                                                                          • lstrlenW.KERNEL32(?), ref: 00029C19
                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00029C79
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00029C84
                                                                                                                            • Part of subcall function 00013CC4: GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00013D40
                                                                                                                            • Part of subcall function 00013CC4: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00013D53
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
                                                                                                                          • String ID: *.*$.unverified
                                                                                                                          • API String ID: 457978746-2528915496
                                                                                                                          • Opcode ID: ec8fc87a1d4e310f095e4d11ed46a5236c2bfbdda40b367a25e6a7a3657b1c47
                                                                                                                          • Instruction ID: 8a348ec7d34c50c405baeb917094d126bfa78971b0231c960eef5b57747016cf
                                                                                                                          • Opcode Fuzzy Hash: ec8fc87a1d4e310f095e4d11ed46a5236c2bfbdda40b367a25e6a7a3657b1c47
                                                                                                                          • Instruction Fuzzy Hash: 9F41663190057CAEDB61AB60ED49BEEB7F8EF44302F5001A5E908E10A1EB759ED4DF54
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0005887B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 000588D0
                                                                                                                          • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 000588E2
                                                                                                                          Strings
                                                                                                                          • %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 0005892D
                                                                                                                          • feclient.dll, xrefs: 000588AA
                                                                                                                          • %04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 000588B9
                                                                                                                          • crypt32.dll, xrefs: 000588A0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Time$InformationLocalSpecificSystemZone
                                                                                                                          • String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
                                                                                                                          • API String ID: 1772835396-1985132828
                                                                                                                          • Opcode ID: 85a4b6afdb35729b32bb5cd65d0055a8b88cec7a586c3a7ef71a56e72ebe9815
                                                                                                                          • Instruction ID: 3d65b0bf32f2fa77e7fe4c90d40a322b949f3c2a86c55141e8897c26af0ed640
                                                                                                                          • Opcode Fuzzy Hash: 85a4b6afdb35729b32bb5cd65d0055a8b88cec7a586c3a7ef71a56e72ebe9815
                                                                                                                          • Instruction Fuzzy Hash: FF21E966900118EAD764DB99DC05EBFB3FCEB48711F00855AF945E6180E639AA80D770
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004AA0E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __floor_pentium4
                                                                                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                          • API String ID: 4168288129-2761157908
                                                                                                                          • Opcode ID: 47f9436c7584bd3070f904c44043e078f9e1bb294a9d29e413dd6adc4ef575ad
                                                                                                                          • Instruction ID: ce6ea113a1dd76b98be1deee1e8cc4d25c87b1ae786de4190e21497676a822a6
                                                                                                                          • Opcode Fuzzy Hash: 47f9436c7584bd3070f904c44043e078f9e1bb294a9d29e413dd6adc4ef575ad
                                                                                                                          • Instruction Fuzzy Hash: A6C258B1E086288FDB65CE28DD407EAB3F5EB85305F1441EAD80DE7241E778AE818F45
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000161DF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastNameUser
                                                                                                                          • String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
                                                                                                                          • API String ID: 2054405381-1522884404
                                                                                                                          • Opcode ID: 9e376dfe43f8c6aebf37ba95dafd79e819348ea5b45f5e34e05bc63760ccd69c
                                                                                                                          • Instruction ID: 22fbc48321921c7d47d8201d228f140a969c031352e4003af10b3a390d015c89
                                                                                                                          • Opcode Fuzzy Hash: 9e376dfe43f8c6aebf37ba95dafd79e819348ea5b45f5e34e05bc63760ccd69c
                                                                                                                          • Instruction Fuzzy Hash: B6019632B417286BD7219B54DC05AEF77A8DB00721F110256FD14E7281DB799D848AD5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004FE21 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,000504F4,?,?,?,?,00000001), ref: 0004FE40
                                                                                                                          • GetLastError.KERNEL32(?,000504F4,?,?,?,?,00000001,?,00015616,?,?,00000000,?,?,00015395,00000002), ref: 0004FE4C
                                                                                                                          • LocalFree.KERNEL32(00000000,?,?,00000000,?,?,000504F4,?,?,?,?,00000001,?,00015616,?,?), ref: 0004FEB5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                          • String ID: logutil.cpp
                                                                                                                          • API String ID: 1365068426-3545173039
                                                                                                                          • Opcode ID: e5a40d60ea25fcc56e83026705a59b14d0d6fa82d3302166f4f2626d92c6bdd5
                                                                                                                          • Instruction ID: 1eb9642ff745ac2c49bcfbe8ea0ced7ae9ab845173d944332be6df38202c7aee
                                                                                                                          • Opcode Fuzzy Hash: e5a40d60ea25fcc56e83026705a59b14d0d6fa82d3302166f4f2626d92c6bdd5
                                                                                                                          • Instruction Fuzzy Hash: B31190B2A0022AEBDB319F82CD05EFF7AA8EF54712F014039FD0496161D7719E10D6A4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00036B88 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00036B32,00000000,00000003), ref: 00036B9F
                                                                                                                          • GetLastError.KERNEL32(?,00036B32,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,00036F28,?), ref: 00036BA9
                                                                                                                          Strings
                                                                                                                          • msuengine.cpp, xrefs: 00036BCD
                                                                                                                          • Failed to set service start type., xrefs: 00036BD7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ChangeConfigErrorLastService
                                                                                                                          • String ID: Failed to set service start type.$msuengine.cpp
                                                                                                                          • API String ID: 1456623077-1628545019
                                                                                                                          • Opcode ID: 8340c21495091b447d2fc726d85dbc27ef6613ab0aab49f50bf39da658b72c89
                                                                                                                          • Instruction ID: d91e8c4d31c27360786e4b87557486c9a5adf1f47d7708a7bef52d186012480d
                                                                                                                          • Opcode Fuzzy Hash: 8340c21495091b447d2fc726d85dbc27ef6613ab0aab49f50bf39da658b72c89
                                                                                                                          • Instruction Fuzzy Hash: 8BF0A033A4923537DB2126969C09ACBBE4C9F01BB1B114321FE28EA1D1EB56990086E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00043C76 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00043D6E
                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00043D78
                                                                                                                          • UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 00043D85
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3906539128-0
                                                                                                                          • Opcode ID: 48c966d6f8b24d712018f8f20c19cfbef2baaad7a34ad05c8eabffae26e1bad0
                                                                                                                          • Instruction ID: 8fca2325c086557d6e2f9a8b082b440f77c8646b5e06cff1ed1eb28594b5434d
                                                                                                                          • Opcode Fuzzy Hash: 48c966d6f8b24d712018f8f20c19cfbef2baaad7a34ad05c8eabffae26e1bad0
                                                                                                                          • Instruction Fuzzy Hash: 9531C27490122C9BCB61DF65D9897DDBBB8BF08310F5046EAE40CA6251EB349F818F45
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000448D8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,000448AE,00000000,00077F08,0000000C,00044A05,00000000,00000002,00000000), ref: 000448F9
                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,000448AE,00000000,00077F08,0000000C,00044A05,00000000,00000002,00000000), ref: 00044900
                                                                                                                          • ExitProcess.KERNEL32 ref: 00044912
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1703294689-0
                                                                                                                          • Opcode ID: c09b404e9b494a0a3724528e1689710dfd896a78279547b234dd59ffa023a797
                                                                                                                          • Instruction ID: 6c20d7bad47179dac3d2624ed298085b8f0f26135ee990de1f29c9020be55479
                                                                                                                          • Opcode Fuzzy Hash: c09b404e9b494a0a3724528e1689710dfd896a78279547b234dd59ffa023a797
                                                                                                                          • Instruction Fuzzy Hash: EBE0EC71400648AFDF51AF54DD09A9A3B69EF45782F008424F9199B132CB39ED52DB98
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004A560 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
                                                                                                                          • Instruction ID: 8acd52982e058bece6fa96eb2973ed23db96585f61bc269cf2b9a5f532f2dd5a
                                                                                                                          • Opcode Fuzzy Hash: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
                                                                                                                          • Instruction Fuzzy Hash: FE023DB1E402199FDF24CFA9C8806AEB7F1EF89324F258169D819E7381D730AD41CB95
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00053A5F Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00053BF1: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00053A8E,?), ref: 00053C62
                                                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00053AB2
                                                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00053AC3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateCheckCloseInitializeMembershipToken
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2114926846-0
                                                                                                                          • Opcode ID: cc141539f58e60fd7d211431991621ecbadb1eeb96e81f4b0b5c0f146a441ddb
                                                                                                                          • Instruction ID: 86afc27ea71d6c99c0d824f7b08bcf2bd6d37b26cbb9edbf68bd51dfdeb067bb
                                                                                                                          • Opcode Fuzzy Hash: cc141539f58e60fd7d211431991621ecbadb1eeb96e81f4b0b5c0f146a441ddb
                                                                                                                          • Instruction Fuzzy Hash: 2E111B7190021EABEB10DFA4CC85BAFB7F8FF08341F50582DA941A7191E7749E48CB61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00054440 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindFirstFileW.KERNEL32(0003923A,?,00000100,00000000,00000000), ref: 0005447B
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00054487
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2295610775-0
                                                                                                                          • Opcode ID: 7bae3bcb0f730b756b799b149902533ac1d4e1614cc828832cac38f4903fb083
                                                                                                                          • Instruction ID: 6d8fdd0cb35d718897ca2f9ce403eaae8795b2be3f8cd9d2196725ca26465896
                                                                                                                          • Opcode Fuzzy Hash: 7bae3bcb0f730b756b799b149902533ac1d4e1614cc828832cac38f4903fb083
                                                                                                                          • Instruction Fuzzy Hash: 8801D631A002086BDB10EF65ED89AABB3ACEBC531AF400165F918D3181D6346D898B54
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00042C18 Relevance: 2.7, Strings: 2, Instructions: 214COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 0$comres.dll
                                                                                                                          • API String ID: 0-3030269839
                                                                                                                          • Opcode ID: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
                                                                                                                          • Instruction ID: 68a578a7e1585671adaa21de05760d7577c82e0dc251dc8025ba4acf42647c02
                                                                                                                          • Opcode Fuzzy Hash: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
                                                                                                                          • Instruction Fuzzy Hash: 785178E0B00B0567DBB8496885D67FF63D59B66380FD80939F883DB293C615DE81835E
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004EE7C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0004EE77,?,?,00000008,?,?,0004EB17,00000000), ref: 0004F0A9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionRaise
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3997070919-0
                                                                                                                          • Opcode ID: e004c1c4240a98892d3fba166ec7b7d74980ffafebf62dc2cc27af0ac598946d
                                                                                                                          • Instruction ID: 3c427e68bcd578f24f12a2c1404472010f6f3006e45dccb1e2ecbeb529fdfcb9
                                                                                                                          • Opcode Fuzzy Hash: e004c1c4240a98892d3fba166ec7b7d74980ffafebf62dc2cc27af0ac598946d
                                                                                                                          • Instruction Fuzzy Hash: 36B15FB1510609DFD759CF28C486B657BE0FF45364F2586B8E89ACF2A2C335E981CB44
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003EC07 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0003EC20
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2325560087-0
                                                                                                                          • Opcode ID: 6e77f48dca6bafe3069c1de1bbb30a19400aa70458f99cf1b24f52b96c10127b
                                                                                                                          • Instruction ID: 4476c9d2fcb78733138eb4b10175a835ef775f9419f183c19ac14554248c47c9
                                                                                                                          • Opcode Fuzzy Hash: 6e77f48dca6bafe3069c1de1bbb30a19400aa70458f99cf1b24f52b96c10127b
                                                                                                                          • Instruction Fuzzy Hash: 2151AD71E102088BEB59CF59D8857AEBBF8FB88300F14866AD409EB290D3799D40CF91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003E9DC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_0002E9E8,0003E131), ref: 0003E9E1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3192549508-0
                                                                                                                          • Opcode ID: df19e37138b79162217d2d34cc8d803ddfac335817defa158fdf106669c8823d
                                                                                                                          • Instruction ID: 6d802f4b9924b1a9fabf296ae9211ab5c3d26f70f2ca8fd36a6158dc3ba0e9cf
                                                                                                                          • Opcode Fuzzy Hash: df19e37138b79162217d2d34cc8d803ddfac335817defa158fdf106669c8823d
                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003FB89 Relevance: .5, Instructions: 481COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: e1d680f06f36262e6b9b73a028fecce3884d6f59676fa9550d899d4f092d5b71
                                                                                                                          • Instruction ID: a63aaee3e81aa96193c89fe5d1a33b5b1b68b3993fc5e14c51d242db591d7cb4
                                                                                                                          • Opcode Fuzzy Hash: e1d680f06f36262e6b9b73a028fecce3884d6f59676fa9550d899d4f092d5b71
                                                                                                                          • Instruction Fuzzy Hash: 690217325081A30BDBAE4A39853007B7BE56F433B1B1E477DD8B6CB1D6DE20E964D660
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00040B6F Relevance: .4, Instructions: 352COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
                                                                                                                          • Instruction ID: f3fee768a9b78d234addaa6d613ac10846f9a4c78102a0531bf1631767749f0b
                                                                                                                          • Opcode Fuzzy Hash: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
                                                                                                                          • Instruction Fuzzy Hash: 49C1A5B31091A34AEFAD4739847407EBBE15B923B131A07BDD5B2EB0D5EE309538D624
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000407AA Relevance: .3, Instructions: 347COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
                                                                                                                          • Instruction ID: 9989e4474f4b06ff3b7e5b5b31c33959d00905132d1516cafe79acfc1723167b
                                                                                                                          • Opcode Fuzzy Hash: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
                                                                                                                          • Instruction Fuzzy Hash: EDC1A2B31091A20AEFAD4639843407EBBE15F823B131A17BDD5F2EB1C5EE309934D664
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000403D5 Relevance: .3, Instructions: 331COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
                                                                                                                          • Instruction ID: 3251f6dbe8545e18a237df90efbf1ba94e6c8c4cdd671a4c15af7c92af91c99e
                                                                                                                          • Opcode Fuzzy Hash: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
                                                                                                                          • Instruction Fuzzy Hash: F7C1A2B21091A20BEBAD4639847407FBBE15B923B131A07ADD5B3EB0D5EE309534DA24
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004001D Relevance: .3, Instructions: 323COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
                                                                                                                          • Instruction ID: 60f5661527203e778f67b3dec6cf7eb72d601979f1f98a362b47cbf0d2dac09e
                                                                                                                          • Opcode Fuzzy Hash: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
                                                                                                                          • Instruction Fuzzy Hash: 88B1C8B32090620BEFAD4639843443EBFE15B923B171A17BDD5B2EB1D5EE309634D624
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00042E47 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 973cd63fff1146a719e30eb133e927cff424a476e383ec04dfea535fbe72e2c4
                                                                                                                          • Instruction ID: 58bf08c8c7a40055e7158c4ac32b5c44ca6fb6943125cd92f5ee1edb2798f678
                                                                                                                          • Opcode Fuzzy Hash: 973cd63fff1146a719e30eb133e927cff424a476e383ec04dfea535fbe72e2c4
                                                                                                                          • Instruction Fuzzy Hash: 1A617BF170070856DB7899698855BFE63E4EF41700FD0093AF982DF282D611EE89C31D
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001FF99 Relevance: 84.5, APIs: 1, Strings: 47, Instructions: 484registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000), ref: 00020592
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close
                                                                                                                          • String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.11.1.2318$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update name and publisher.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor
                                                                                                                          • API String ID: 3535843008-2755343042
                                                                                                                          • Opcode ID: fbd23a3c46727fa982a564cc9549db241123bf5a055d5c64382b2130ee87e0b1
                                                                                                                          • Instruction ID: 17d04ecd966fa980aa4780b5ee68c976376a1f7a46fda269978f8caf11f42acd
                                                                                                                          • Opcode Fuzzy Hash: fbd23a3c46727fa982a564cc9549db241123bf5a055d5c64382b2130ee87e0b1
                                                                                                                          • Instruction Fuzzy Hash: D2F1D971A81B36BBDB225664ED02FEFB6A6AF04751F140151FD00BA253D772ED60EAC0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00018476 Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(00015445,?,00000000,80070490,?,?,?,?,?,?,?,?,0003C1BF,?,00015445,?), ref: 000184A7
                                                                                                                          • LeaveCriticalSection.KERNEL32(00015445,?,?,?,?,?,?,?,?,0003C1BF,?,00015445,?,00015445,00015445,Chain), ref: 00018804
                                                                                                                          Strings
                                                                                                                          • Initializing string variable '%ls' to value '%ls', xrefs: 0001861A
                                                                                                                          • Failed to get @Hidden., xrefs: 000187E8
                                                                                                                          • Failed to get @Id., xrefs: 000187EF
                                                                                                                          • Value, xrefs: 00018565
                                                                                                                          • string, xrefs: 000185F7
                                                                                                                          • Failed to get next node., xrefs: 000187F6
                                                                                                                          • Persisted, xrefs: 0001854A
                                                                                                                          • version, xrefs: 0001862C
                                                                                                                          • Failed to set value of variable: %ls, xrefs: 000187A7
                                                                                                                          • Failed to set variant value., xrefs: 0001878F
                                                                                                                          • Failed to get @Type., xrefs: 00018788
                                                                                                                          • Failed to find variable value '%ls'., xrefs: 000187D2
                                                                                                                          • Variable, xrefs: 000184B1
                                                                                                                          • Invalid value for @Type: %ls, xrefs: 00018778
                                                                                                                          • Failed to insert variable '%ls'., xrefs: 000186C6
                                                                                                                          • numeric, xrefs: 000185BC
                                                                                                                          • Initializing numeric variable '%ls' to value '%ls', xrefs: 000185E2
                                                                                                                          • Failed to get @Value., xrefs: 00018796
                                                                                                                          • Hidden, xrefs: 0001852F
                                                                                                                          • Failed to get variable node count., xrefs: 000184E1
                                                                                                                          • Initializing version variable '%ls' to value '%ls', xrefs: 00018653
                                                                                                                          • Failed to get @Persisted., xrefs: 000187E1
                                                                                                                          • Failed to set variant encryption, xrefs: 0001879D
                                                                                                                          • Initializing hidden variable '%ls', xrefs: 00018671
                                                                                                                          • Attempt to set built-in variable value: %ls, xrefs: 000187C8
                                                                                                                          • Failed to change variant type., xrefs: 000187DA
                                                                                                                          • Failed to select variable nodes., xrefs: 000184C4
                                                                                                                          • Type, xrefs: 000185A3
                                                                                                                          • variable.cpp, xrefs: 000187B9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                          • String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
                                                                                                                          • API String ID: 3168844106-1614826165
                                                                                                                          • Opcode ID: 17c2c4248d56e53cea5d51b66932b7653c662a23a1ed80b4f823e4a2eecff7ac
                                                                                                                          • Instruction ID: 4af3cc454d6958156122b89fab59a08475b333ff306d2fa866819b77bf280619
                                                                                                                          • Opcode Fuzzy Hash: 17c2c4248d56e53cea5d51b66932b7653c662a23a1ed80b4f823e4a2eecff7ac
                                                                                                                          • Instruction Fuzzy Hash: 9AB1CD32D04219BFDF219B94CC46EEFBBB5AF04712F208255FA10BA191DB719B84DB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00036CCC Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 379COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,0002BDDC,00000007,?,?,?), ref: 00036D20
                                                                                                                            • Part of subcall function 00050ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00015EB2,00000000), ref: 00050AE0
                                                                                                                            • Part of subcall function 00050ACC: GetProcAddress.KERNEL32(00000000), ref: 00050AE7
                                                                                                                            • Part of subcall function 00050ACC: GetLastError.KERNEL32(?,?,?,00015EB2,00000000), ref: 00050AFE
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 0003710F
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 00037123
                                                                                                                          Strings
                                                                                                                          • msuengine.cpp, xrefs: 00036F8D, 00037022, 0003704A
                                                                                                                          • /log:, xrefs: 00036EA2
                                                                                                                          • "%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 00036E75
                                                                                                                          • Failed to find Windows directory., xrefs: 00036D5F
                                                                                                                          • Failed to determine WOW64 status., xrefs: 00036D32
                                                                                                                          • Failed to format MSU uninstall command., xrefs: 00036E89
                                                                                                                          • Failed to append log switch to MSU command-line., xrefs: 00036EB6
                                                                                                                          • Failed to append log path to MSU command-line., xrefs: 00036ED4
                                                                                                                          • Bootstrapper application aborted during MSU progress., xrefs: 00037054
                                                                                                                          • Failed to get action arguments for MSU package., xrefs: 00036DD6
                                                                                                                          • Failed to build MSU path., xrefs: 00036E35
                                                                                                                          • 2, xrefs: 00036FB3
                                                                                                                          • Failed to format MSU install command., xrefs: 00036E5C
                                                                                                                          • Failed to get cached path for package: %ls, xrefs: 00036DFC
                                                                                                                          • SysNative\, xrefs: 00036D6A
                                                                                                                          • Failed to find System32 directory., xrefs: 00036D95
                                                                                                                          • Failed to get process exit code., xrefs: 0003702C
                                                                                                                          • "%ls" "%ls" /quiet /norestart, xrefs: 00036E48
                                                                                                                          • D, xrefs: 00036F3B
                                                                                                                          • wusa.exe, xrefs: 00036DA0
                                                                                                                          • WixBundleExecutePackageCacheFolder, xrefs: 00036E0B, 0003713B
                                                                                                                          • Failed to allocate WUSA.exe path., xrefs: 00036DB3
                                                                                                                          • Failed to ensure WU service was enabled to install MSU package., xrefs: 00036F2E
                                                                                                                          • Failed to CreateProcess on path: %ls, xrefs: 00036F9A
                                                                                                                          • Failed to wait for executable to complete: %ls, xrefs: 0003709E
                                                                                                                          • Failed to append SysNative directory., xrefs: 00036D7D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
                                                                                                                          • String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$msuengine.cpp$wusa.exe
                                                                                                                          • API String ID: 1400713077-4261965642
                                                                                                                          • Opcode ID: e7481a736e494366e1aa7c84ae018897799d9fc75a02bb530ca15b192d8e900d
                                                                                                                          • Instruction ID: e9fb4c44bca8d7ceae99371f38136bf5e74d8f1b5e63e8541bfcd305441286af
                                                                                                                          • Opcode Fuzzy Hash: e7481a736e494366e1aa7c84ae018897799d9fc75a02bb530ca15b192d8e900d
                                                                                                                          • Instruction Fuzzy Hash: 70D171B5B4031AFBDB229FE4CC85EEF7AFDAF08700F104425F604A6152D7B69A449B51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0005744A Relevance: 47.6, APIs: 13, Strings: 14, Instructions: 340COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 0005755D
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00057726
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 000577C3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$FreeHeap$AllocateCompareProcess
                                                                                                                          • String ID: ($@$`<u$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
                                                                                                                          • API String ID: 1555028553-639730868
                                                                                                                          • Opcode ID: f0a0b301e09edeed231135cbe272a91c8ce79c058345782af6c6cae235b81022
                                                                                                                          • Instruction ID: e156ca84a46ef90b05eb5a5c49c6c7f12b14ea984d2db52b3a76c2e91ce2805d
                                                                                                                          • Opcode Fuzzy Hash: f0a0b301e09edeed231135cbe272a91c8ce79c058345782af6c6cae235b81022
                                                                                                                          • Instruction Fuzzy Hash: 34B1B43190C61ABBCB119BA4DC41FAF76B4AF05721F204354F929AB1D1D771EE44EB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0005710D Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 298COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,00073E78,000000FF,?,?,?), ref: 000571D4
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 000571F9
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00057219
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 00057235
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 0005725D
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00057279
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 000572B2
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 000572EB
                                                                                                                            • Part of subcall function 00056D50: SysFreeString.OLEAUT32(00000000), ref: 00056E89
                                                                                                                            • Part of subcall function 00056D50: SysFreeString.OLEAUT32(00000000), ref: 00056EC8
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0005736F
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0005741F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$Compare$Free
                                                                                                                          • String ID: ($`<u$atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
                                                                                                                          • API String ID: 318886736-2569518843
                                                                                                                          • Opcode ID: b55e3a2fef8fa3c3c9014fbc4fb9a81e3bd198cd2736f6bdba2c25c962441e34
                                                                                                                          • Instruction ID: 72bec076816632873258328b0690ec39164ddb8daaa4a66a4cf81bbf38952224
                                                                                                                          • Opcode Fuzzy Hash: b55e3a2fef8fa3c3c9014fbc4fb9a81e3bd198cd2736f6bdba2c25c962441e34
                                                                                                                          • Instruction Fuzzy Hash: 21A1B331908216BBDB219B94DC41FAF7BB4AB04731F204355FD29AB1D1DB71EA44EB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003D43E Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 290synchronizationprocessCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • UuidCreate.RPCRT4(?), ref: 0003D4B3
                                                                                                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 0003D4DC
                                                                                                                          • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 0003D5C5
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?), ref: 0003D5CF
                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 0003D668
                                                                                                                          • WaitForSingleObject.KERNEL32(0005B500,000000FF,?,?,?,?), ref: 0003D673
                                                                                                                          • ReleaseMutex.KERNEL32(0005B500,?,?,?,?), ref: 0003D69D
                                                                                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 0003D6BE
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?), ref: 0003D6CC
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?), ref: 0003D704
                                                                                                                            • Part of subcall function 0003D33E: WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,?,0003D642,?), ref: 0003D357
                                                                                                                            • Part of subcall function 0003D33E: ReleaseMutex.KERNEL32(?,?,?,?,0003D642,?), ref: 0003D375
                                                                                                                            • Part of subcall function 0003D33E: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0003D3B6
                                                                                                                            • Part of subcall function 0003D33E: ReleaseMutex.KERNEL32(?), ref: 0003D3CD
                                                                                                                            • Part of subcall function 0003D33E: SetEvent.KERNEL32(?), ref: 0003D3D6
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 0003D7B9
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 0003D7D1
                                                                                                                          Strings
                                                                                                                          • Failed to wait for netfx chainer process to complete, xrefs: 0003D732
                                                                                                                          • D, xrefs: 0003D5AA
                                                                                                                          • NetFxEvent.%ls, xrefs: 0003D52B
                                                                                                                          • NetFxChainer.cpp, xrefs: 0003D4F1, 0003D5F3, 0003D6F0, 0003D728
                                                                                                                          • Failed to process netfx chainer message., xrefs: 0003D648
                                                                                                                          • NetFxSection.%ls, xrefs: 0003D509
                                                                                                                          • %ls /pipe %ls, xrefs: 0003D57F
                                                                                                                          • Failed to create netfx chainer guid., xrefs: 0003D4C0
                                                                                                                          • Failed to convert netfx chainer guid into string., xrefs: 0003D4FB
                                                                                                                          • Failed to allocate netfx chainer arguments., xrefs: 0003D593
                                                                                                                          • Failed to CreateProcess on path: %ls, xrefs: 0003D5FE
                                                                                                                          • Failed to allocate event name., xrefs: 0003D53F
                                                                                                                          • Failed to allocate section name., xrefs: 0003D51D
                                                                                                                          • Failed to create netfx chainer., xrefs: 0003D55E
                                                                                                                          • Failed to get netfx return code., xrefs: 0003D6FA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Wait$ErrorLastMutexObjectReleaseSingle$CloseCreateHandleProcess$CodeEventExitFromMultipleObjectsStringUuid
                                                                                                                          • String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
                                                                                                                          • API String ID: 1533322865-1825855094
                                                                                                                          • Opcode ID: b1fd7a357fdc94fa2aa0c429ee062dae36aeee3e8ff3b942bd3ddffd541fa125
                                                                                                                          • Instruction ID: b2e36599bb198ded264f9795cf2bbdd50980b3183509aabedcba9b3342f78924
                                                                                                                          • Opcode Fuzzy Hash: b1fd7a357fdc94fa2aa0c429ee062dae36aeee3e8ff3b942bd3ddffd541fa125
                                                                                                                          • Instruction Fuzzy Hash: 0CA19272D40328EBDB629BA4DC45BEEB7B8BB04711F104166EA08FB252D7359D44CF91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000254DC Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 229filepipesleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(?,?,00000000,?,0005B500,?,00000000,?,0001452F,?,0005B500), ref: 000254FD
                                                                                                                          • GetCurrentProcessId.KERNEL32(?,0001452F,?,0005B500), ref: 00025508
                                                                                                                          • SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0001452F,?,0005B500), ref: 0002553F
                                                                                                                          • ConnectNamedPipe.KERNEL32(?,00000000,?,0001452F,?,0005B500), ref: 00025554
                                                                                                                          • GetLastError.KERNEL32(?,0001452F,?,0005B500), ref: 0002555E
                                                                                                                          • Sleep.KERNEL32(00000064,?,0001452F,?,0005B500), ref: 00025593
                                                                                                                          • SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0001452F,?,0005B500), ref: 000255B6
                                                                                                                          • WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0001452F,?,0005B500), ref: 000255D1
                                                                                                                          • WriteFile.KERNEL32(?,0001452F,0005B500,00000000,00000000,?,0001452F,?,0005B500), ref: 000255EC
                                                                                                                          • WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,0001452F,?,0005B500), ref: 00025607
                                                                                                                          • ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,0001452F,?,0005B500), ref: 00025622
                                                                                                                          • GetLastError.KERNEL32(?,0001452F,?,0005B500), ref: 0002567D
                                                                                                                          • GetLastError.KERNEL32(?,0001452F,?,0005B500), ref: 000256B1
                                                                                                                          • GetLastError.KERNEL32(?,0001452F,?,0005B500), ref: 000256E5
                                                                                                                          • GetLastError.KERNEL32(?,0001452F,?,0005B500), ref: 00025719
                                                                                                                          • GetLastError.KERNEL32(?,0001452F,?,0005B500), ref: 0002574A
                                                                                                                          • GetLastError.KERNEL32(?,0001452F,?,0005B500), ref: 0002577B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
                                                                                                                          • String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$crypt32.dll$pipe.cpp
                                                                                                                          • API String ID: 2944378912-2047837012
                                                                                                                          • Opcode ID: 269a28bcd20099398d1124a5b353eed61d929a8ae930c22e1811f55968e33bba
                                                                                                                          • Instruction ID: 5c2507fd6e810cd73ec92df302372fa1d543ec17f426252a52f16ed570d8ca6d
                                                                                                                          • Opcode Fuzzy Hash: 269a28bcd20099398d1124a5b353eed61d929a8ae930c22e1811f55968e33bba
                                                                                                                          • Instruction Fuzzy Hash: 6471C876D81B35ABD72097A4AC49BAFB6E8AF04B12F114525FE01FF181E774DD0086E8
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001A416 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 0001A45A
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 0001A480
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 0001A768
                                                                                                                          Strings
                                                                                                                          • Failed to set variable., xrefs: 0001A72B
                                                                                                                          • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 0001A740
                                                                                                                          • Failed to query registry key value size., xrefs: 0001A554
                                                                                                                          • Failed to change value type., xrefs: 0001A70F
                                                                                                                          • Failed to get expand environment string., xrefs: 0001A6DD
                                                                                                                          • Failed to read registry value., xrefs: 0001A6F6
                                                                                                                          • Failed to allocate string buffer., xrefs: 0001A667
                                                                                                                          • Registry key not found. Key = '%ls', xrefs: 0001A4B4
                                                                                                                          • Failed to query registry key value., xrefs: 0001A5DA
                                                                                                                          • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0001A51C
                                                                                                                          • Failed to open registry key., xrefs: 0001A4ED
                                                                                                                          • search.cpp, xrefs: 0001A54A, 0001A57D, 0001A5D0, 0001A6D3
                                                                                                                          • Failed to allocate memory registry value., xrefs: 0001A587
                                                                                                                          • Unsupported registry key value type. Type = '%u', xrefs: 0001A608
                                                                                                                          • Failed to format value string., xrefs: 0001A48B
                                                                                                                          • Failed to format key string., xrefs: 0001A465
                                                                                                                          • Failed to clear variable., xrefs: 0001A4D8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Open@16$Close
                                                                                                                          • String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
                                                                                                                          • API String ID: 2348241696-3124384294
                                                                                                                          • Opcode ID: 8d4f65385951e5cb2345885f31324a0181be82fe95e8525846c6e02d191856da
                                                                                                                          • Instruction ID: 84d00c098becb0adcaffb1267860691703611a3dd4a6a5543d6a25792eb5c0da
                                                                                                                          • Opcode Fuzzy Hash: 8d4f65385951e5cb2345885f31324a0181be82fe95e8525846c6e02d191856da
                                                                                                                          • Instruction Fuzzy Hash: C1A11832E05629BBCF229BE4CC45AEFBA78BF05720F158111FD04BA191D7719E849BD2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00015770 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 479stringCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000000,00000000,?,0001A8B4,00000100,000002C0,000002C0,00000100), ref: 00015795
                                                                                                                          • lstrlenW.KERNEL32(000002C0,?,0001A8B4,00000100,000002C0,000002C0,00000100), ref: 0001579F
                                                                                                                          • _wcschr.LIBVCRUNTIME ref: 000159A7
                                                                                                                          • LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,0001A8B4,00000100,000002C0,000002C0,00000100), ref: 00015C4A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterLeave_wcschrlstrlen
                                                                                                                          • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
                                                                                                                          • API String ID: 1026845265-2050445661
                                                                                                                          • Opcode ID: d9680eaaca0c16bdca60f209ee56d1972429e59e08211633a39b4891166b3197
                                                                                                                          • Instruction ID: d4a3090e052fd2f4bebf63924adb0cdda246629745c4248fd03c25f755198059
                                                                                                                          • Opcode Fuzzy Hash: d9680eaaca0c16bdca60f209ee56d1972429e59e08211633a39b4891166b3197
                                                                                                                          • Instruction Fuzzy Hash: 41F18371901615EEDB219FA48C41EEF7BA8EF84B22F15812AFD14AF141D7349A81CBE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003CE81 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 240synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,0003D558,?,?,?), ref: 0003CEC7
                                                                                                                          • GetLastError.KERNEL32(?,?,0003D558,?,?,?), ref: 0003CED4
                                                                                                                          • ReleaseMutex.KERNEL32(?), ref: 0003D13C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
                                                                                                                          • String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
                                                                                                                          • API String ID: 3944734951-2991465304
                                                                                                                          • Opcode ID: 03e9627f1edc9fef7fe85e5349996d681b53ad6b8c02fccbed0667558f19f728
                                                                                                                          • Instruction ID: ac77edd72f6f3f349ca874ee343479fb53f4178433233a641950cb19d80af9ae
                                                                                                                          • Opcode Fuzzy Hash: 03e9627f1edc9fef7fe85e5349996d681b53ad6b8c02fccbed0667558f19f728
                                                                                                                          • Instruction Fuzzy Hash: 7C81E7B6A41722FBD7224B659C09F9B7AA8BF04720F114265FE08BB241D775ED40CAE4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001EA42 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 000532F3: VariantInit.OLEAUT32(?), ref: 00053309
                                                                                                                            • Part of subcall function 000532F3: SysAllocString.OLEAUT32(?), ref: 00053325
                                                                                                                            • Part of subcall function 000532F3: VariantClear.OLEAUT32(?), ref: 000533AC
                                                                                                                            • Part of subcall function 000532F3: SysFreeString.OLEAUT32(00000000), ref: 000533B7
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,0005CA9C,?,?,Action,?,?,?,00000000,00015445), ref: 0001EB13
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 0001EB5D
                                                                                                                          Strings
                                                                                                                          • Invalid value for @Action: %ls, xrefs: 0001EC52
                                                                                                                          • Failed to get @Id., xrefs: 0001EC62
                                                                                                                          • Addon, xrefs: 0001EB9A
                                                                                                                          • Patch, xrefs: 0001EBDD
                                                                                                                          • Action, xrefs: 0001EAD0
                                                                                                                          • Upgrade, xrefs: 0001EB50
                                                                                                                          • Failed to get @Action., xrefs: 0001EC69
                                                                                                                          • cabinet.dll, xrefs: 0001EBBA
                                                                                                                          • RelatedBundle, xrefs: 0001EA50
                                                                                                                          • Failed to get RelatedBundle element count., xrefs: 0001EA97
                                                                                                                          • Failed to resize Patch code array in registration, xrefs: 0001EC43
                                                                                                                          • version.dll, xrefs: 0001EB70
                                                                                                                          • Failed to get next RelatedBundle element., xrefs: 0001EC70
                                                                                                                          • comres.dll, xrefs: 0001EB26
                                                                                                                          • Failed to get RelatedBundle nodes, xrefs: 0001EA72
                                                                                                                          • Failed to resize Detect code array in registration, xrefs: 0001EC2E
                                                                                                                          • Failed to resize Addon code array in registration, xrefs: 0001EC3C
                                                                                                                          • Detect, xrefs: 0001EB04
                                                                                                                          • Failed to resize Upgrade code array in registration, xrefs: 0001EC35
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$CompareVariant$AllocClearFreeInit
                                                                                                                          • String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
                                                                                                                          • API String ID: 702752599-259800149
                                                                                                                          • Opcode ID: d09e687b3b0e4d962082442d0e3ad1e81b17b021cff34811a6fd321497956e15
                                                                                                                          • Instruction ID: 1be214211444921177d46f10319dd608d25a8f83bbfeecfbbb89fffaaedddc3f
                                                                                                                          • Opcode Fuzzy Hash: d09e687b3b0e4d962082442d0e3ad1e81b17b021cff34811a6fd321497956e15
                                                                                                                          • Instruction Fuzzy Hash: 9C718C71904656BBCB209BA4CD45EEEBBB5BF04725F204254FD11AB2C1D771AA82CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000246DC Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 185fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,00024BF5,0005B4E8,?,feclient.dll,00000000,?,?), ref: 000246F3
                                                                                                                          • ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,00024BF5,0005B4E8,?,feclient.dll,00000000,?,?), ref: 00024714
                                                                                                                          • GetLastError.KERNEL32(?,00024BF5,0005B4E8,?,feclient.dll,00000000,?,?), ref: 0002471A
                                                                                                                          • ReadFile.KERNEL32(feclient.dll,00000000,0005B518,?,00000000,00000000,0005B519,?,00024BF5,0005B4E8,?,feclient.dll,00000000,?,?), ref: 000247A8
                                                                                                                          • GetLastError.KERNEL32(?,00024BF5,0005B4E8,?,feclient.dll,00000000,?,?), ref: 000247AE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastRead$CurrentProcess
                                                                                                                          • String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
                                                                                                                          • API String ID: 1233551569-452622383
                                                                                                                          • Opcode ID: e328770ab7f1af81b0c4647a506276e89aefffa99c76006d856fccdbd7cd69ce
                                                                                                                          • Instruction ID: 655fbcbdcdda8bdabd4f4c1505667ea431f19a2b1328c932b2ceae793f06d911
                                                                                                                          • Opcode Fuzzy Hash: e328770ab7f1af81b0c4647a506276e89aefffa99c76006d856fccdbd7cd69ce
                                                                                                                          • Instruction Fuzzy Hash: 6A519536E50336BBDB219B959C86FBF76A8AB05B21F110165FF10BF180DB749D0096E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000327FC Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: StringVariant$AllocClearFreeInit
                                                                                                                          • String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
                                                                                                                          • API String ID: 760788290-1911311241
                                                                                                                          • Opcode ID: c5730385fff7e1b66e3a87e821640dcf28db7d4258edcac84dc8a0b97322533e
                                                                                                                          • Instruction ID: bdc96ee4ba0d1cbdf932ca7303e16810c3cca6ffb6f79959a2ce328bd3f80dd4
                                                                                                                          • Opcode Fuzzy Hash: c5730385fff7e1b66e3a87e821640dcf28db7d4258edcac84dc8a0b97322533e
                                                                                                                          • Instruction Fuzzy Hash: 5B410F72F45722B6DB3356A48C02FAFB65D5B15731F200322FE20BA2C1DB649D0496D1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00018F72 Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 430COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetStringTypeW.KERNEL32(00000001,560005DB,00000001,?,00019946,?,00000000,00000000,?,?,0001992E,?,?,00000000,?), ref: 00018FB2
                                                                                                                          Strings
                                                                                                                          • condition.cpp, xrefs: 00019084, 0001914E, 000191CA, 0001922E, 0001936C, 000193B0, 000193F4
                                                                                                                          • Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 00019162
                                                                                                                          • Failed to set symbol value., xrefs: 00019060
                                                                                                                          • Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 00019380
                                                                                                                          • Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 000191DE
                                                                                                                          • -, xrefs: 00019118
                                                                                                                          • Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 000193C4
                                                                                                                          • Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 00019242
                                                                                                                          • AND, xrefs: 000192BC
                                                                                                                          • Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 00019408
                                                                                                                          • Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 00019098
                                                                                                                          • NOT, xrefs: 000192DB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: StringType
                                                                                                                          • String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
                                                                                                                          • API String ID: 4177115715-3594736606
                                                                                                                          • Opcode ID: eea78d620f6c8de8de77ba4838407cb28e6945a67b3d646e561f1850b1e56116
                                                                                                                          • Instruction ID: 61ae3ebee13679a2308dbb8bf5eb16cdaf35a20798b143248dec72f432d8b55f
                                                                                                                          • Opcode Fuzzy Hash: eea78d620f6c8de8de77ba4838407cb28e6945a67b3d646e561f1850b1e56116
                                                                                                                          • Instruction Fuzzy Hash: 05F1DE71A00305FFDB258F98C8A9FFA7BA4FB04704F10455AFA159A585C3B5DAD2CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00031BB1 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 00031CB8
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 00031CD6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareHeapString$AllocateProcess
                                                                                                                          • String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeengine.cpp$forceReboot$scheduleReboot$success
                                                                                                                          • API String ID: 2664528157-1714101571
                                                                                                                          • Opcode ID: b7f0a5f151fe5c04a83f61d21c1cf01061e510bef2076aed410ddd356992324f
                                                                                                                          • Instruction ID: aa3d625ebea4301e87add9ef902d912a6c8e4cfd46ed0bcf71b90525769736b0
                                                                                                                          • Opcode Fuzzy Hash: b7f0a5f151fe5c04a83f61d21c1cf01061e510bef2076aed410ddd356992324f
                                                                                                                          • Instruction Fuzzy Hash: CE61E571904216FBCB229B94CC41EEEBBB9EF09720F204655F921AB2D1DB71DE40CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000577F7 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 206COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 00057857
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 0005787C
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 0005789C
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 000578CF
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 000578EB
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00057916
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0005798D
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 000579D9
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$Compare$Free
                                                                                                                          • String ID: `<u$comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
                                                                                                                          • API String ID: 318886736-782967201
                                                                                                                          • Opcode ID: 3e8450f8820705f657ce704d39fa6b933149d5a7db046c5b7bd0147f5846b69f
                                                                                                                          • Instruction ID: c069d1db42a43c486f0ad5e0a6dcb8b7e513d1a3a8dcf674c382ce22b1787903
                                                                                                                          • Opcode Fuzzy Hash: 3e8450f8820705f657ce704d39fa6b933149d5a7db046c5b7bd0147f5846b69f
                                                                                                                          • Instruction Fuzzy Hash: 09618171D08219FBDF11DB94DC45FAFB7B8AF04322F204665E925A71A1DB31AE04EB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00026BCA Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 351synchronizationthreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001D4A8: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00027040,000000B8,00000000,?,00000000,75C0B390), ref: 0001D4B7
                                                                                                                            • Part of subcall function 0001D4A8: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0001D4C6
                                                                                                                            • Part of subcall function 0001D4A8: LeaveCriticalSection.KERNEL32(000000D0,?,00027040,000000B8,00000000,?,00000000,75C0B390), ref: 0001D4DB
                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,000257BD,?,00000000,00000000), ref: 00026E34
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00014522,?,0005B500,?,00014846,?,?), ref: 00026E43
                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00014522,?,0005B500,?,00014846,?,?), ref: 00026EA0
                                                                                                                          • ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 00026F92
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00026F9B
                                                                                                                          • CloseHandle.KERNEL32(crypt32.dll,?,00000000,?,00000000,00000001,00000000), ref: 00026FB5
                                                                                                                            • Part of subcall function 0003BD05: SetThreadExecutionState.KERNEL32(80000001), ref: 0003BD0A
                                                                                                                          Strings
                                                                                                                          • core.cpp, xrefs: 00026C8A, 00026E67
                                                                                                                          • Another per-user setup is already executing., xrefs: 00026CD8
                                                                                                                          • Failed to cache engine to working directory., xrefs: 00026D71
                                                                                                                          • Failed to register bundle., xrefs: 00026DEE
                                                                                                                          • Failed to set initial apply variables., xrefs: 00026D02
                                                                                                                          • Failed to create cache thread., xrefs: 00026E71
                                                                                                                          • Engine cannot start apply because it is busy with another action., xrefs: 00026C28
                                                                                                                          • Failed to elevate., xrefs: 00026D94
                                                                                                                          • Another per-machine setup is already executing., xrefs: 00026DC8
                                                                                                                          • Failed while caching, aborting execution., xrefs: 00026E98
                                                                                                                          • crypt32.dll, xrefs: 00026ECD, 00026EE7, 00026FB4
                                                                                                                          • UX aborted apply begin., xrefs: 00026C94
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseHandle$CriticalSectionThread$CompareCreateEnterErrorExchangeExecutionInterlockedLastLeaveMutexReleaseState
                                                                                                                          • String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
                                                                                                                          • API String ID: 2169948125-4292671789
                                                                                                                          • Opcode ID: 4bc5ec41b49317e475b9b712f2c933dbdeee5df9fab525489099849c0092f6ed
                                                                                                                          • Instruction ID: 0744703308409cf23ad862acbed1aaca79321b2bd1645a0c24646820a8682b4b
                                                                                                                          • Opcode Fuzzy Hash: 4bc5ec41b49317e475b9b712f2c933dbdeee5df9fab525489099849c0092f6ed
                                                                                                                          • Instruction Fuzzy Hash: 25C1E371D00225ABDF619F64EC85BEF76B8EF04705F14417AFE09AE182DB729940CBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00058134 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 00058161
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 0005817C
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 0005821F
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,0005B518,00000000), ref: 0005825E
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 000582B1
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,0005B518,000000FF,true,000000FF), ref: 000582CF
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 00058307
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 0005844B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareString
                                                                                                                          • String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
                                                                                                                          • API String ID: 1825529933-3037633208
                                                                                                                          • Opcode ID: 8662ad34870e0a4c380700706df355148f8cbf39ad8f0c76e1bd893eff206d70
                                                                                                                          • Instruction ID: 512659e3aad3f0be214ab835ff86404a50c5ea651d43ed2f6f210c501fe3ac3f
                                                                                                                          • Opcode Fuzzy Hash: 8662ad34870e0a4c380700706df355148f8cbf39ad8f0c76e1bd893eff206d70
                                                                                                                          • Instruction Fuzzy Hash: 1AB19D31944606ABDB608F54CC85F9B7BEAAB44732F218614FE29AF2D1DB71E944CB04
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002E3C8 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 146registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0002E2AF: LoadBitmapW.USER32(?,00000001), ref: 0002E2E5
                                                                                                                            • Part of subcall function 0002E2AF: GetLastError.KERNEL32 ref: 0002E2F1
                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 0002E429
                                                                                                                          • RegisterClassW.USER32(?), ref: 0002E43D
                                                                                                                          • GetLastError.KERNEL32 ref: 0002E448
                                                                                                                          • UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 0002E54D
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 0002E55C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
                                                                                                                          • String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
                                                                                                                          • API String ID: 164797020-2188509422
                                                                                                                          • Opcode ID: 7db0552cd6278c4d7fdbf629dc3c15d470aada859f89ab6346e30fb861c89dcf
                                                                                                                          • Instruction ID: 4ab4cb8a41c7ed837e20ef496cdbf145eec738a48cfc139351ba59440f492ea7
                                                                                                                          • Opcode Fuzzy Hash: 7db0552cd6278c4d7fdbf629dc3c15d470aada859f89ab6346e30fb861c89dcf
                                                                                                                          • Instruction Fuzzy Hash: 58419476940679BFEB219BE4ED09AAFB7B9FF04711F100125FA05BA150E734AD04CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00039DE1 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 233threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,0003BC85,00000001), ref: 00039E46
                                                                                                                          • GetLastError.KERNEL32(?,0003BC85,00000001), ref: 00039FB6
                                                                                                                          • GetExitCodeThread.KERNEL32(00000001,00000000,?,0003BC85,00000001), ref: 00039FF6
                                                                                                                          • GetLastError.KERNEL32(?,0003BC85,00000001), ref: 0003A000
                                                                                                                          Strings
                                                                                                                          • apply.cpp, xrefs: 00039FDD, 0003A027
                                                                                                                          • Failed to execute EXE package., xrefs: 00039E7D
                                                                                                                          • Failed to load compatible package on per-machine package., xrefs: 00039F5C
                                                                                                                          • Failed to get cache thread exit code., xrefs: 0003A031
                                                                                                                          • Cache thread exited unexpectedly., xrefs: 0003A047
                                                                                                                          • Failed to execute MSU package., xrefs: 00039EFB
                                                                                                                          • Failed to execute MSI package., xrefs: 00039EA6
                                                                                                                          • Failed to execute MSP package., xrefs: 00039ECB
                                                                                                                          • Failed to execute compatible package action., xrefs: 00039F73
                                                                                                                          • Failed to wait for cache check-point., xrefs: 00039FE7
                                                                                                                          • Failed to execute package provider registration action., xrefs: 00039F17
                                                                                                                          • Failed to execute dependency action., xrefs: 00039F36
                                                                                                                          • Invalid execute action., xrefs: 0003A056
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
                                                                                                                          • String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
                                                                                                                          • API String ID: 3703294532-2662572847
                                                                                                                          • Opcode ID: 8e70ac73aaf395ea7e44954d1fd1dbf64f4a13ede42d2beabd276e5fa01dda6a
                                                                                                                          • Instruction ID: b22f31bb87d801f40c508f760bb737c3fc67543bcfc275675654af5419bdc053
                                                                                                                          • Opcode Fuzzy Hash: 8e70ac73aaf395ea7e44954d1fd1dbf64f4a13ede42d2beabd276e5fa01dda6a
                                                                                                                          • Instruction Fuzzy Hash: 43717D71A0522AEFDB16DFA4C941EBF7BBCEB45B10F114169F905EB240D371AE009BA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001F210 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 183registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00053AF1: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 00053B3E
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,77FF0000,00060D10,00020006,00000000,?,00000000,00000000,00000000,E84C77FF,00000000,00000001,00000000,00000000), ref: 0001F440
                                                                                                                            • Part of subcall function 000514A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,0001F28D,00060D10,Resume,00000005,?,00000000,00000000,00000000), ref: 000514BB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseValueVersion
                                                                                                                          • String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$burn.runonce$registration.cpp
                                                                                                                          • API String ID: 2348918689-2631711097
                                                                                                                          • Opcode ID: 0a350b434daec3fc4325096cc6c2acb6d793f1011525d3ced9f6cec5893c6c9b
                                                                                                                          • Instruction ID: e8cc190812388bbaa3e488cbfa83646487c947674d973e9bad1ff4d2bdbf24ee
                                                                                                                          • Opcode Fuzzy Hash: 0a350b434daec3fc4325096cc6c2acb6d793f1011525d3ced9f6cec5893c6c9b
                                                                                                                          • Instruction Fuzzy Hash: 2A51D136D80327BBCF219AA0DC06AFFB6A5AF00721F150535FE11BA191D7759E909BC0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003CC91 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 174processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcessId.KERNEL32(74DE8FB0,00000002,00000000), ref: 0003CC9D
                                                                                                                            • Part of subcall function 00024D8D: UuidCreate.RPCRT4(?), ref: 00024DC0
                                                                                                                          • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,00032401,?,?,00000000,?,?,?), ref: 0003CD7B
                                                                                                                          • GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 0003CD85
                                                                                                                          • GetProcessId.KERNEL32(00032401,?,?,00000000,?,?,?,?), ref: 0003CDBD
                                                                                                                            • Part of subcall function 000254DC: lstrlenW.KERNEL32(?,?,00000000,?,0005B500,?,00000000,?,0001452F,?,0005B500), ref: 000254FD
                                                                                                                            • Part of subcall function 000254DC: GetCurrentProcessId.KERNEL32(?,0001452F,?,0005B500), ref: 00025508
                                                                                                                            • Part of subcall function 000254DC: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0001452F,?,0005B500), ref: 0002553F
                                                                                                                            • Part of subcall function 000254DC: ConnectNamedPipe.KERNEL32(?,00000000,?,0001452F,?,0005B500), ref: 00025554
                                                                                                                            • Part of subcall function 000254DC: GetLastError.KERNEL32(?,0001452F,?,0005B500), ref: 0002555E
                                                                                                                            • Part of subcall function 000254DC: Sleep.KERNEL32(00000064,?,0001452F,?,0005B500), ref: 00025593
                                                                                                                            • Part of subcall function 000254DC: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0001452F,?,0005B500), ref: 000255B6
                                                                                                                            • Part of subcall function 000254DC: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0001452F,?,0005B500), ref: 000255D1
                                                                                                                            • Part of subcall function 000254DC: WriteFile.KERNEL32(?,0001452F,0005B500,00000000,00000000,?,0001452F,?,0005B500), ref: 000255EC
                                                                                                                            • Part of subcall function 000254DC: WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,0001452F,?,0005B500), ref: 00025607
                                                                                                                            • Part of subcall function 00050A28: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00014F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00050A38
                                                                                                                            • Part of subcall function 00050A28: GetLastError.KERNEL32(?,?,00014F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00050A46
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,0003CBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 0003CE41
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,0003CBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 0003CE50
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,0003CBEF,?,?,?,?,?,00000000,?,?,?), ref: 0003CE67
                                                                                                                          Strings
                                                                                                                          • burn.embedded, xrefs: 0003CD38
                                                                                                                          • Failed to create embedded process at path: %ls, xrefs: 0003CDB3
                                                                                                                          • Failed to wait for embedded executable: %ls, xrefs: 0003CE24
                                                                                                                          • Failed to allocate embedded command., xrefs: 0003CD54
                                                                                                                          • embedded.cpp, xrefs: 0003CDA6
                                                                                                                          • %ls -%ls %ls %ls %u, xrefs: 0003CD40
                                                                                                                          • Failed to create embedded pipe name and client token., xrefs: 0003CD00
                                                                                                                          • Failed to create embedded pipe., xrefs: 0003CD27
                                                                                                                          • Failed to wait for embedded process to connect to pipe., xrefs: 0003CDDF
                                                                                                                          • Failed to process messages from embedded message., xrefs: 0003CE04
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
                                                                                                                          • String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
                                                                                                                          • API String ID: 875070380-3803182736
                                                                                                                          • Opcode ID: 7f9310fde5b2133669e1620a64b0adf04f2040159177c1a5959252ec12223db5
                                                                                                                          • Instruction ID: 66eea2680ce279a2aa1f70f33be2bff565a9a82f1f462aa9c233f4b1ed0c4d6d
                                                                                                                          • Opcode Fuzzy Hash: 7f9310fde5b2133669e1620a64b0adf04f2040159177c1a5959252ec12223db5
                                                                                                                          • Instruction Fuzzy Hash: 33517072D4022DBBEF22AB94DC06FEEBBB8AF04711F114121FA04FA191D7759A409BD5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001ECBE Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 173COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0001EE4C
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0001EE04
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeHeapString$AllocateProcess
                                                                                                                          • String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$`<u$registration.cpp
                                                                                                                          • API String ID: 336948655-956346883
                                                                                                                          • Opcode ID: e968efea7eed21360938105e0cc4c9a8d6e40775cf326d29801f5f2a684f4835
                                                                                                                          • Instruction ID: 5f4416599ecb008d5bb844eee56d560a0c6d53f493f5664160f929c3449be269
                                                                                                                          • Opcode Fuzzy Hash: e968efea7eed21360938105e0cc4c9a8d6e40775cf326d29801f5f2a684f4835
                                                                                                                          • Instruction Fuzzy Hash: 02518035E0176ABBDB219F98C881EEEB7E9BF04751F144169BD01AB251CB71DE808B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00057F7E Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,?,00058468,00000001,?), ref: 00057F9E
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,00058468,00000001,?), ref: 00057FB9
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,00058468,00000001,?), ref: 00057FD4
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,00058468,00000001,?), ref: 00058040
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,00058468,00000001,?), ref: 00058064
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,00058468,00000001,?), ref: 00058088
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,00058468,00000001,?), ref: 000580A8
                                                                                                                          • lstrlenW.KERNEL32(006C0064,?,00058468,00000001,?), ref: 000580C3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareString$lstrlen
                                                                                                                          • String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
                                                                                                                          • API String ID: 1657112622-2492263259
                                                                                                                          • Opcode ID: 1cd7a8f5cb3bc9e2b5d9b7679b402d04822c7c4ef97e71fabbba822fa705b089
                                                                                                                          • Instruction ID: a161bd79f0a1ccc7ecfbbbe8a088e9c9186f20c7af541ef932c22848cd9eae4b
                                                                                                                          • Opcode Fuzzy Hash: 1cd7a8f5cb3bc9e2b5d9b7679b402d04822c7c4ef97e71fabbba822fa705b089
                                                                                                                          • Instruction Fuzzy Hash: D451B531A48712BBDBA04F44CC45F5B7AA1AB11732F208714FE39BE2D1CBA5EC588794
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001A03E Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 215COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 0001A0B6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Open@16
                                                                                                                          • String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
                                                                                                                          • API String ID: 3613110473-2134270738
                                                                                                                          • Opcode ID: c868cea5d88763eeec7771be33a95f4787671ce2b7e3c65fcdbaf46c72f65ef8
                                                                                                                          • Instruction ID: c0177205a062889fac3c35dd262c8ee160bf1394ab6971b66539d53e2a083c67
                                                                                                                          • Opcode Fuzzy Hash: c868cea5d88763eeec7771be33a95f4787671ce2b7e3c65fcdbaf46c72f65ef8
                                                                                                                          • Instruction Fuzzy Hash: 6D61A832F41219BBCB269EA8CD45DEF7BB9EB0A710F204155F904BB252D232DF849752
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00024B2A Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 158sleepfileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 00024B84
                                                                                                                          • GetLastError.KERNEL32 ref: 00024B92
                                                                                                                          • Sleep.KERNEL32(00000064), ref: 00024BB6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateErrorFileLastSleep
                                                                                                                          • String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
                                                                                                                          • API String ID: 408151869-3212458075
                                                                                                                          • Opcode ID: 8d80027abe77607a0fe53f12abac5ba8ca121b51f80ba2e17b9c3222a03cf4ac
                                                                                                                          • Instruction ID: 61a6362a6fe448164993e66ea271683e79190160a21f73774d95e7e5656ae3f2
                                                                                                                          • Opcode Fuzzy Hash: 8d80027abe77607a0fe53f12abac5ba8ca121b51f80ba2e17b9c3222a03cf4ac
                                                                                                                          • Instruction Fuzzy Hash: B8412936D45732BBDB7256A4ED46F9E7A98AF00721F220221FE00BF1D0D775AD0096D4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001F585 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,000204DF,InstallerVersion,InstallerVersion,00000000,000204DF,InstallerName,InstallerName,00000000,000204DF,Date,InstalledDate,00000000,000204DF,LogonUser), ref: 0001F733
                                                                                                                            • Part of subcall function 000514F4: RegSetValueExW.ADVAPI32(00020006,00060D10,00000000,00000001,77FF0000,00000000,77FF0000,000000FF,00000000,00000000,?,?,0001F335,00000000,F685F08B,00020006), ref: 00051527
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseValue
                                                                                                                          • String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
                                                                                                                          • API String ID: 3132538880-2703781546
                                                                                                                          • Opcode ID: 5755044436cfb1ba7192cf6c0aaa5aa35b9c7482d05f9e8599d2123e5cb6d902
                                                                                                                          • Instruction ID: 5d0f35d12c6f8de29576b3e50906a5146fec2ce853efad8c0a45b4ef421e12e1
                                                                                                                          • Opcode Fuzzy Hash: 5755044436cfb1ba7192cf6c0aaa5aa35b9c7482d05f9e8599d2123e5cb6d902
                                                                                                                          • Instruction Fuzzy Hash: 9341B931A48F66B7DF226654CD02EFF7A669B21B11F150170FE00BF293CB719E94A684
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002E7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • TlsSetValue.KERNEL32(?,?), ref: 0002E7FF
                                                                                                                          • RegisterClassW.USER32(?), ref: 0002E82B
                                                                                                                          • GetLastError.KERNEL32 ref: 0002E836
                                                                                                                          • CreateWindowExW.USER32(00000080,00069E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 0002E89D
                                                                                                                          • GetLastError.KERNEL32 ref: 0002E8A7
                                                                                                                          • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 0002E945
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
                                                                                                                          • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
                                                                                                                          • API String ID: 213125376-288575659
                                                                                                                          • Opcode ID: 995d3ab70d5f0ff93d7a007e96a4e0ddd54ccb6b0fe3c9b5309831da0e1276b7
                                                                                                                          • Instruction ID: db96010fe77365b12b15c9ac0a62b24a1c21ae6be28846f689092d74a7854ba2
                                                                                                                          • Opcode Fuzzy Hash: 995d3ab70d5f0ff93d7a007e96a4e0ddd54ccb6b0fe3c9b5309831da0e1276b7
                                                                                                                          • Instruction Fuzzy Hash: 5A41A572940225ABDB608BA5EC44ADFBFB8FF04751F114166F949BB190DB35AD40CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003C774 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          • Failed to copy key for passthrough pseudo bundle payload., xrefs: 0003C9C5
                                                                                                                          • Failed to copy key for passthrough pseudo bundle., xrefs: 0003C988
                                                                                                                          • Failed to copy local source path for passthrough pseudo bundle., xrefs: 0003C9B7
                                                                                                                          • Failed to recreate command-line arguments., xrefs: 0003CA43
                                                                                                                          • pseudobundle.cpp, xrefs: 0003C7A8, 0003C9A1, 0003C9DB
                                                                                                                          • Failed to copy filename for passthrough pseudo bundle., xrefs: 0003C9BE
                                                                                                                          • Failed to copy related arguments for passthrough bundle package, xrefs: 0003CA82
                                                                                                                          • Failed to copy install arguments for passthrough bundle package, xrefs: 0003CA62
                                                                                                                          • Failed to copy uninstall arguments for passthrough bundle package, xrefs: 0003CAAC
                                                                                                                          • Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 0003C7B4
                                                                                                                          • Failed to copy cache id for passthrough pseudo bundle., xrefs: 0003CA05
                                                                                                                          • Failed to allocate memory for pseudo bundle payload hash., xrefs: 0003C9AD
                                                                                                                          • Failed to copy download source for passthrough pseudo bundle., xrefs: 0003C98F
                                                                                                                          • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 0003C9E7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$AllocateProcess
                                                                                                                          • String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
                                                                                                                          • API String ID: 1357844191-115096447
                                                                                                                          • Opcode ID: 13e7da7aecfe0eb612f591605cc01b27301f19ce7c09b4f2142c102b4879f882
                                                                                                                          • Instruction ID: a2da433f1b8729cbc92423779b6ea18cec62f92f736622fd53c73635365b2159
                                                                                                                          • Opcode Fuzzy Hash: 13e7da7aecfe0eb612f591605cc01b27301f19ce7c09b4f2142c102b4879f882
                                                                                                                          • Instruction Fuzzy Hash: 64B14A75A00616EFDB22DF24C881F95BBA5BF08714F118269ED18EF352CB71E861DB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003DE46 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 204stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 0003DE61
                                                                                                                          Strings
                                                                                                                          • Failed to create BITS job callback., xrefs: 0003DF74
                                                                                                                          • Failed to initialize BITS job callback., xrefs: 0003DF82
                                                                                                                          • Failed to add file to BITS job., xrefs: 0003DF2E
                                                                                                                          • Failed to create BITS job., xrefs: 0003DEF0
                                                                                                                          • Invalid BITS engine URL: %ls, xrefs: 0003DE83
                                                                                                                          • Failed while waiting for BITS download., xrefs: 0003E012
                                                                                                                          • Failed to copy download URL., xrefs: 0003DEA8
                                                                                                                          • Failed to set credentials for BITS job., xrefs: 0003DF0F
                                                                                                                          • Falied to start BITS job., xrefs: 0003E019
                                                                                                                          • Failed to download BITS job., xrefs: 0003DFF8
                                                                                                                          • Failed to set callback interface for BITS job., xrefs: 0003DF99
                                                                                                                          • Failed to complete BITS job., xrefs: 0003E00B
                                                                                                                          • bitsengine.cpp, xrefs: 0003DE77, 0003DF6A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen
                                                                                                                          • String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
                                                                                                                          • API String ID: 1659193697-2382896028
                                                                                                                          • Opcode ID: b3bf372c659119bb2e00f2eb900f85c09f7cdde34bce934faf568f70e74ce78a
                                                                                                                          • Instruction ID: 5d0959f1961eb278d47d810cba608020ba66995a7079d05731e5d1edaeb9dde9
                                                                                                                          • Opcode Fuzzy Hash: b3bf372c659119bb2e00f2eb900f85c09f7cdde34bce934faf568f70e74ce78a
                                                                                                                          • Instruction Fuzzy Hash: 3061D435E00265EFCB239B54D885EAE7BACEF08B10F118256FD09AF291D7B5DD409B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001BC93 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 190processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 0001BCE5
                                                                                                                          • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 0001BDF2
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?), ref: 0001BDFC
                                                                                                                          • WaitForInputIdle.USER32(?,?), ref: 0001BE50
                                                                                                                          • CloseHandle.KERNEL32(?,?,?), ref: 0001BE9B
                                                                                                                          • CloseHandle.KERNEL32(?,?,?), ref: 0001BEA8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
                                                                                                                          • String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$approvedexe.cpp
                                                                                                                          • API String ID: 155678114-2737401750
                                                                                                                          • Opcode ID: 8f55afccc4754d149736d9a931378753e954e14ef49d77b618f0772b09cf4f70
                                                                                                                          • Instruction ID: 698cd1a14c74d8cfe8bff58738964003abae6c082fc83a78f96a7a14e98b5064
                                                                                                                          • Opcode Fuzzy Hash: 8f55afccc4754d149736d9a931378753e954e14ef49d77b618f0772b09cf4f70
                                                                                                                          • Instruction Fuzzy Hash: 78516A72D0061AFBDF21AFA0CC429EFBBB9BF04301B104569FA14B7161E7359E949B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000369D2 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 153serviceCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,00036F28,?), ref: 00036A0B
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00036F28,?,?,?), ref: 00036A18
                                                                                                                          • OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,00036F28,?,?,?), ref: 00036A60
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00036F28,?,?,?), ref: 00036A6C
                                                                                                                          • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00036F28,?,?,?), ref: 00036AA6
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00036F28,?,?,?), ref: 00036AB0
                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 00036B67
                                                                                                                          • CloseServiceHandle.ADVAPI32(?), ref: 00036B71
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
                                                                                                                          • String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuengine.cpp$wuauserv
                                                                                                                          • API String ID: 971853308-301359130
                                                                                                                          • Opcode ID: 9972f5256634f93932c82de49d65d805d1f8a0942b42e7e6a06047dbf5577a2c
                                                                                                                          • Instruction ID: 723f57c55ffacfb26278fc74a8dfa37d8fd1eeee5611e639fe6cc5510dc8f63f
                                                                                                                          • Opcode Fuzzy Hash: 9972f5256634f93932c82de49d65d805d1f8a0942b42e7e6a06047dbf5577a2c
                                                                                                                          • Instruction Fuzzy Hash: 4F41A476E40725BBD7229BA58C45AAFBAECAB04711F11C425FD01FB281DB76DC408EA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001A28B Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 0001A2B3
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 0001A30E
                                                                                                                          • RegQueryValueExW.ADVAPI32(000002C0,00000100,00000000,000002C0,00000000,00000000,000002C0,?,00000100,00000000,?,00000000,?,000002C0,000002C0,?), ref: 0001A32F
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,00000100,00000000,000002C0), ref: 0001A405
                                                                                                                          Strings
                                                                                                                          • Failed to set variable., xrefs: 0001A3BD
                                                                                                                          • Failed to query registry key value., xrefs: 0001A36A
                                                                                                                          • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0001A37A
                                                                                                                          • search.cpp, xrefs: 0001A360
                                                                                                                          • Failed to open registry key. Key = '%ls', xrefs: 0001A3C7
                                                                                                                          • Failed to format value string., xrefs: 0001A319
                                                                                                                          • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 0001A3DD
                                                                                                                          • Failed to format key string., xrefs: 0001A2BE
                                                                                                                          • Registry key not found. Key = '%ls', xrefs: 0001A396
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Open@16$CloseQueryValue
                                                                                                                          • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
                                                                                                                          • API String ID: 2702208347-46557908
                                                                                                                          • Opcode ID: 920c209550c4ee6334f427c20c9741a8f1dd5f143430c0d6399c292908830a23
                                                                                                                          • Instruction ID: 3d6b2043ccd9f1c825421dc3918750ed9f4b85c4a0389549f69d96fd632f98b2
                                                                                                                          • Opcode Fuzzy Hash: 920c209550c4ee6334f427c20c9741a8f1dd5f143430c0d6399c292908830a23
                                                                                                                          • Instruction Fuzzy Hash: 2641E632E41124BBDB225BA4CC06FEFBA64EB05721F104261FD14BA192D7729F94D792
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001B208 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 137COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,0001BAFB,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B210
                                                                                                                          • GetLastError.KERNEL32(?,0001BAFB,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0001B21C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorHandleLastModule
                                                                                                                          • String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
                                                                                                                          • API String ID: 4242514867-926796631
                                                                                                                          • Opcode ID: 837344d30a407874cfc2c28a5b1eb5560875e2dedb8aadd77701ac442f403ecd
                                                                                                                          • Instruction ID: 9fea76010bd38794cd8d3258f18127610ba45585cc7c04eca82659fae8b67c7e
                                                                                                                          • Opcode Fuzzy Hash: 837344d30a407874cfc2c28a5b1eb5560875e2dedb8aadd77701ac442f403ecd
                                                                                                                          • Instruction Fuzzy Hash: CF412C36280311A7C73116518C4BEEF3695EB85B32F254029FE51AF1C2DBB9CA89C2E5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001694B Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 133libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 0001699B
                                                                                                                          • GetLastError.KERNEL32 ref: 000169A5
                                                                                                                          • GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 000169E8
                                                                                                                          • GetLastError.KERNEL32 ref: 000169F2
                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000000,?), ref: 00016B03
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
                                                                                                                          • String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
                                                                                                                          • API String ID: 3057421322-109962352
                                                                                                                          • Opcode ID: 6878f4b8f21dfa89874c0a7c3d96bd43efd98700a510127a216281462fc08bb1
                                                                                                                          • Instruction ID: 031f4f97edbb94fd5577ce903d76de3b99705673c31ce4ad7cd5900d7e6b284b
                                                                                                                          • Opcode Fuzzy Hash: 6878f4b8f21dfa89874c0a7c3d96bd43efd98700a510127a216281462fc08bb1
                                                                                                                          • Instruction Fuzzy Hash: 97419172D412399BDB319B658C05BEF7AA8EF08711F40419AED08B6181EB769E84CE91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000148EF Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130memorysynchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,00015466,?,?,?,?), ref: 00014920
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00015466,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00014931
                                                                                                                          • ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00014A6E
                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,00015466,?,?,?,?,?,?,?,?,?,?,?), ref: 00014A77
                                                                                                                          Strings
                                                                                                                          • Failed to pump messages from parent process., xrefs: 00014A42
                                                                                                                          • engine.cpp, xrefs: 00014955, 0001499E
                                                                                                                          • comres.dll, xrefs: 000149DD
                                                                                                                          • Failed to allocate thread local storage for logging., xrefs: 0001495F
                                                                                                                          • Failed to set elevated pipe into thread local storage for logging., xrefs: 000149A8
                                                                                                                          • Failed to create the message window., xrefs: 000149CC
                                                                                                                          • Failed to connect to unelevated process., xrefs: 00014916
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocCloseErrorHandleLastMutexRelease
                                                                                                                          • String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$engine.cpp
                                                                                                                          • API String ID: 687263955-1790235126
                                                                                                                          • Opcode ID: 0771653f8b4bdd47faffc1c87730c46763476e56edc03bb6d21cc00e3555753f
                                                                                                                          • Instruction ID: a6753363885a889fb813860263abe884c3be72bf633b7cf28ea6b00ab45f4023
                                                                                                                          • Opcode Fuzzy Hash: 0771653f8b4bdd47faffc1c87730c46763476e56edc03bb6d21cc00e3555753f
                                                                                                                          • Instruction Fuzzy Hash: 5E41D373A40629BBD7129BA0CC46EEFBBACBF04711F050226FA04A7151DB71B99486E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00023B4E Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 130COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 00023BA2
                                                                                                                          • GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 00023BAC
                                                                                                                          • GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 00023C15
                                                                                                                          • ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 00023C1C
                                                                                                                          • CompareStringW.KERNEL32(00000000,00000000,?,?,?,?,?,7FFFFFFF,?,?,?,?,?,00000000,crypt32.dll), ref: 00023CA6
                                                                                                                          Strings
                                                                                                                          • Failed to get length of temp folder., xrefs: 00023C06
                                                                                                                          • Failed to copy temp folder., xrefs: 00023CCF
                                                                                                                          • logging.cpp, xrefs: 00023BD0
                                                                                                                          • Failed to get length of session id string., xrefs: 00023C71
                                                                                                                          • Failed to format session id as a string., xrefs: 00023C4A
                                                                                                                          • crypt32.dll, xrefs: 00023B61
                                                                                                                          • %u\, xrefs: 00023C36
                                                                                                                          • Failed to get temp folder., xrefs: 00023BDA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$CompareCurrentErrorLastPathSessionStringTemp
                                                                                                                          • String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$crypt32.dll$logging.cpp
                                                                                                                          • API String ID: 2407829081-3274134579
                                                                                                                          • Opcode ID: 4f3c7c4a4851399ef6f05eaa20c23c7aecf97bdd24ac34c2fa0e6fd6fded6ae4
                                                                                                                          • Instruction ID: 144650f28be15d7726513b67ed562daf0d57b3e9b524d6a4f9365cab5695e710
                                                                                                                          • Opcode Fuzzy Hash: 4f3c7c4a4851399ef6f05eaa20c23c7aecf97bdd24ac34c2fa0e6fd6fded6ae4
                                                                                                                          • Instruction Fuzzy Hash: A4419372D8123DABDB319B549C49BDEB7B9AB10710F1005A1FE08B7241DB749F858BD0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00017FA5 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 216COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000,00000000,00000000,00000001,00000000,00000002,000000B9), ref: 00017FC2
                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 000181EA
                                                                                                                          Strings
                                                                                                                          • Failed to write variable value type., xrefs: 000181CA
                                                                                                                          • Failed to get numeric., xrefs: 000181BC
                                                                                                                          • Failed to write literal flag., xrefs: 000181C3
                                                                                                                          • Unsupported variable type., xrefs: 000181A7
                                                                                                                          • feclient.dll, xrefs: 0001809D, 000180F3, 00018134
                                                                                                                          • Failed to write included flag., xrefs: 000181D8
                                                                                                                          • Failed to write variable value as number., xrefs: 00018194
                                                                                                                          • Failed to write variable count., xrefs: 00017FDD
                                                                                                                          • Failed to write variable value as string., xrefs: 000181AE
                                                                                                                          • Failed to write variable name., xrefs: 000181D1
                                                                                                                          • Failed to get version., xrefs: 0001819B
                                                                                                                          • Failed to get string., xrefs: 000181B5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                          • String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
                                                                                                                          • API String ID: 3168844106-2118673349
                                                                                                                          • Opcode ID: 976aca437b43598dd10e774e4db1711e9ed785e222fe11eb1c743088ee396d9b
                                                                                                                          • Instruction ID: f83abf2698584749349aa76ff4be7e2fe0d0f06b4878770f70447e10a8862384
                                                                                                                          • Opcode Fuzzy Hash: 976aca437b43598dd10e774e4db1711e9ed785e222fe11eb1c743088ee396d9b
                                                                                                                          • Instruction Fuzzy Hash: 95718273D0062ABFCB629EA4C845BEF7BA9BF04350F108166FD016B151DB31DE969B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000297B2 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 123fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,0002A843,00000000,00000000,00000000,?,00000000), ref: 000297CD
                                                                                                                          • GetLastError.KERNEL32(?,0002A843,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 000297DD
                                                                                                                            • Part of subcall function 00054102: Sleep.KERNEL32(?,00000000,?,000285EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00014DBC), ref: 00054119
                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 000298E9
                                                                                                                          Strings
                                                                                                                          • Copying, xrefs: 00029888, 00029893
                                                                                                                          • Moving, xrefs: 0002987F
                                                                                                                          • Failed to open payload in working path: %ls, xrefs: 0002980C
                                                                                                                          • Failed to move %ls to %ls, xrefs: 000298C1
                                                                                                                          • cache.cpp, xrefs: 00029801
                                                                                                                          • Failed to verify payload hash: %ls, xrefs: 00029875
                                                                                                                          • %ls payload from working path '%ls' to path '%ls', xrefs: 00029894
                                                                                                                          • Failed to copy %ls to %ls, xrefs: 000298D7
                                                                                                                          • Failed to verify payload signature: %ls, xrefs: 00029838
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCreateErrorFileHandleLastSleep
                                                                                                                          • String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
                                                                                                                          • API String ID: 1275171361-1604654059
                                                                                                                          • Opcode ID: 73c35d59045555e0fc7c621c4521dca4930fbd03fe6e0df06e44f260c4a871f3
                                                                                                                          • Instruction ID: 7b5aa549ac8ba188155cd8c64d3ac05b99aae4655dcf12507427f9c747288483
                                                                                                                          • Opcode Fuzzy Hash: 73c35d59045555e0fc7c621c4521dca4930fbd03fe6e0df06e44f260c4a871f3
                                                                                                                          • Instruction Fuzzy Hash: 28310872D402317BDB322A55AC4AFAF2A5CEF42F61F050125FE087F282DB61DD0096E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000165C0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32(00000000), ref: 000165FC
                                                                                                                            • Part of subcall function 00050ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00015EB2,00000000), ref: 00050AE0
                                                                                                                            • Part of subcall function 00050ACC: GetProcAddress.KERNEL32(00000000), ref: 00050AE7
                                                                                                                            • Part of subcall function 00050ACC: GetLastError.KERNEL32(?,?,?,00015EB2,00000000), ref: 00050AFE
                                                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00016628
                                                                                                                          • GetLastError.KERNEL32 ref: 00016636
                                                                                                                          • GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 0001666E
                                                                                                                          • GetLastError.KERNEL32 ref: 00016678
                                                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 000166BB
                                                                                                                          • GetLastError.KERNEL32 ref: 000166C5
                                                                                                                          Strings
                                                                                                                          • Failed to set system folder variant value., xrefs: 00016724
                                                                                                                          • Failed to get 64-bit system folder., xrefs: 00016664
                                                                                                                          • Failed to get 32-bit system folder., xrefs: 000166A6
                                                                                                                          • Failed to backslash terminate system folder., xrefs: 00016708
                                                                                                                          • variable.cpp, xrefs: 0001665A, 0001669C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
                                                                                                                          • String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
                                                                                                                          • API String ID: 325818893-1590374846
                                                                                                                          • Opcode ID: 26ec8442a76e9d0a4eb9025711dea90b0540c41427068bc0d9655072c534420c
                                                                                                                          • Instruction ID: f19f7e866189c1ac025344c433fa42ecfdefbfaa0ac5fea92091fb2da44d432a
                                                                                                                          • Opcode Fuzzy Hash: 26ec8442a76e9d0a4eb9025711dea90b0540c41427068bc0d9655072c534420c
                                                                                                                          • Instruction Fuzzy Hash: 0D310476E4133567EB3097648C49BEF77A8AF00751F014156BE04BB181DB7ADDC48AE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00023F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00023AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00023FB5,feclient.dll,?,00000000,?,?,?,00014B12), ref: 00023B42
                                                                                                                          • Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00014B12,?,?,0005B488,?,00000001,00000000,00000000), ref: 0002404C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseSleep
                                                                                                                          • String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
                                                                                                                          • API String ID: 2834455192-2673269691
                                                                                                                          • Opcode ID: 75ff7cf6949c43272a5ece58259f3c670bf2a0fbad22f6c085cf18863e0f265f
                                                                                                                          • Instruction ID: 1e00a9365d42b772ef0982e7cf661d19c3e09e1da8b36562c24c6f3fd56f9383
                                                                                                                          • Opcode Fuzzy Hash: 75ff7cf6949c43272a5ece58259f3c670bf2a0fbad22f6c085cf18863e0f265f
                                                                                                                          • Instruction Fuzzy Hash: 8C61B171A00635BBDF669F64EC82BAB7BE9EF10340B044165FE01DB141E7B1EDA097A1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00016DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(00000001,?,00000000,00015445,00000006,?,000182B9,?,?,?,00000000,00000000,00000001), ref: 00016DC8
                                                                                                                            • Part of subcall function 000156A9: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00016595,00016595,?,0001563D,?,?,00000000), ref: 000156E5
                                                                                                                            • Part of subcall function 000156A9: GetLastError.KERNEL32(?,0001563D,?,?,00000000,?,?,00016595,?,00017F02,?,?,?,?,?), ref: 00015714
                                                                                                                          • LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,000182B9), ref: 00016F59
                                                                                                                          Strings
                                                                                                                          • Setting numeric variable '%ls' to value %lld, xrefs: 00016EFA
                                                                                                                          • Failed to set value of variable: %ls, xrefs: 00016F41
                                                                                                                          • Attempt to set built-in variable value: %ls, xrefs: 00016E56
                                                                                                                          • Setting hidden variable '%ls', xrefs: 00016E86
                                                                                                                          • Failed to find variable value '%ls'., xrefs: 00016DE3
                                                                                                                          • Unsetting variable '%ls', xrefs: 00016F15
                                                                                                                          • Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00016F6B
                                                                                                                          • Failed to insert variable '%ls'., xrefs: 00016E0D
                                                                                                                          • Setting string variable '%ls' to value '%ls', xrefs: 00016EED
                                                                                                                          • variable.cpp, xrefs: 00016E4B
                                                                                                                          • Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00016ED0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$CompareEnterErrorLastLeaveString
                                                                                                                          • String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
                                                                                                                          • API String ID: 2716280545-445000439
                                                                                                                          • Opcode ID: 984d652e56d7fc45167e32996b2bf7ba36cfc108c126c3f10c4c1753f906f412
                                                                                                                          • Instruction ID: 72ed321210f19d6fe07a427e43c97fd312bde305db6fab945ec68ba6ad663e46
                                                                                                                          • Opcode Fuzzy Hash: 984d652e56d7fc45167e32996b2bf7ba36cfc108c126c3f10c4c1753f906f412
                                                                                                                          • Instruction Fuzzy Hash: 7D51C471A40225ABDB309E15DC4AFEB3AE8EB55715F10012EFC455A282C277DD86CAE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00022C1C Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 299COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00022C8A
                                                                                                                          Strings
                                                                                                                          • wininet.dll, xrefs: 00022ED7
                                                                                                                          • Failed to create the string dictionary., xrefs: 00022CC3
                                                                                                                          • Failed to check for remaining dependents during planning., xrefs: 00022E30
                                                                                                                          • Failed to add registration action for self dependent., xrefs: 00022F57
                                                                                                                          • Failed to add registration action for dependent related bundle., xrefs: 00022F8E
                                                                                                                          • Failed to add dependents ignored from command-line., xrefs: 00022D3F
                                                                                                                          • crypt32.dll, xrefs: 00022CD5, 00022DCF, 00022EC4, 00022F39
                                                                                                                          • Failed to add dependent bundle provider key to ignore dependents., xrefs: 00022DF4
                                                                                                                          • Failed to allocate registration action., xrefs: 00022CF3
                                                                                                                          • Failed to add self-dependent to ignore dependents., xrefs: 00022D0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareString
                                                                                                                          • String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
                                                                                                                          • API String ID: 1825529933-1705955799
                                                                                                                          • Opcode ID: 01b80df5b6ac2e6165d5377730f15ec2c4766c408e842d89244784406e300e2b
                                                                                                                          • Instruction ID: ced168312d4f206e1cc870def5c26c2a19c869d35122145e3bed42bcf2a5fb3b
                                                                                                                          • Opcode Fuzzy Hash: 01b80df5b6ac2e6165d5377730f15ec2c4766c408e842d89244784406e300e2b
                                                                                                                          • Instruction Fuzzy Hash: B2B17B70A00626FBCF699FA4E941AAEBBB5BF04310F118179F815AB251C730D9A0DB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002F90B Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 187COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0002F947
                                                                                                                          • UuidCreate.RPCRT4(?), ref: 0002FA2A
                                                                                                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 0002FA4B
                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?), ref: 0002FAF4
                                                                                                                          Strings
                                                                                                                          • Failed to default local update source, xrefs: 0002F9B7
                                                                                                                          • EngineForApplication.cpp, xrefs: 0002FA60
                                                                                                                          • update\%ls, xrefs: 0002F9A3
                                                                                                                          • Failed to convert bundle update guid into string., xrefs: 0002FA6A
                                                                                                                          • Failed to set update bundle., xrefs: 0002FACE
                                                                                                                          • Failed to create bundle update guid., xrefs: 0002FA37
                                                                                                                          • Failed to recreate command-line for update bundle., xrefs: 0002FA12
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$CreateEnterFromLeaveStringUuid
                                                                                                                          • String ID: EngineForApplication.cpp$Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
                                                                                                                          • API String ID: 171215650-2594647487
                                                                                                                          • Opcode ID: 867f095fddad5a9c6684239f5b24f437897571b69c3430ab1bb4943bf6065987
                                                                                                                          • Instruction ID: 050c9cea2dc00bfcfc02528d377f763d06250bf737320334004a322f53a6bc84
                                                                                                                          • Opcode Fuzzy Hash: 867f095fddad5a9c6684239f5b24f437897571b69c3430ab1bb4943bf6065987
                                                                                                                          • Instruction Fuzzy Hash: F361CC31A40226ABDF62DFA4D845FAEBBB4EF08790F114179F808AF152D7719C40CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00014AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsWindow.USER32(?), ref: 00014C64
                                                                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00014C75
                                                                                                                          Strings
                                                                                                                          • Failed while running , xrefs: 00014C2A
                                                                                                                          • Failed to set action variables., xrefs: 00014BC4
                                                                                                                          • Failed to open log., xrefs: 00014B18
                                                                                                                          • Failed to create the message window., xrefs: 00014B98
                                                                                                                          • Failed to check global conditions, xrefs: 00014B49
                                                                                                                          • Failed to set layout directory variable to value provided from command-line., xrefs: 00014C06
                                                                                                                          • Failed to query registration., xrefs: 00014BAE
                                                                                                                          • WixBundleLayoutDirectory, xrefs: 00014BF5
                                                                                                                          • Failed to set registration variables., xrefs: 00014BDE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessagePostWindow
                                                                                                                          • String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
                                                                                                                          • API String ID: 3618638489-3051724725
                                                                                                                          • Opcode ID: 9941d977dff5a97925cd0eef74945f1dff31aa1ca1410eedb3173c9550445498
                                                                                                                          • Instruction ID: a061101557a649cddbd5513ae41ff3537cd75b7a9d5696e0b77d5f338db90540
                                                                                                                          • Opcode Fuzzy Hash: 9941d977dff5a97925cd0eef74945f1dff31aa1ca1410eedb3173c9550445498
                                                                                                                          • Instruction Fuzzy Hash: 4B41E431A4562BBBCB665A20CC95FFBB6ACFF00751F004215F904A6161EBB1FD9497D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002F051 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 0002F06E
                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0002F19B
                                                                                                                          Strings
                                                                                                                          • Engine is active, cannot change engine state., xrefs: 0002F089
                                                                                                                          • EngineForApplication.cpp, xrefs: 0002F17C
                                                                                                                          • Failed to copy the arguments., xrefs: 0002F12D
                                                                                                                          • Failed to copy the id., xrefs: 0002F100
                                                                                                                          • Failed to post launch approved exe message., xrefs: 0002F186
                                                                                                                          • UX requested unknown approved exe with id: %ls, xrefs: 0002F0CE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
                                                                                                                          • String ID: Engine is active, cannot change engine state.$EngineForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
                                                                                                                          • API String ID: 1367039788-528931743
                                                                                                                          • Opcode ID: df34e34e34872a7d896d9d7cbfb7a791e793b8f7ad56b6fbe1d682d8296eeb39
                                                                                                                          • Instruction ID: cbf564a6390992a1e35079657b7e2646e2fd64d98f8b7b213c4858ce96c46e20
                                                                                                                          • Opcode Fuzzy Hash: df34e34e34872a7d896d9d7cbfb7a791e793b8f7ad56b6fbe1d682d8296eeb39
                                                                                                                          • Instruction Fuzzy Hash: FB31C332A41636EBDB21EF64EC05EAB77A8AF047A0B414475FD04EF252EB71DD508B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002969D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,0002A7D4,00000000,00000000,00000000,?,00000000), ref: 000296B8
                                                                                                                          • GetLastError.KERNEL32(?,0002A7D4,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 000296C6
                                                                                                                            • Part of subcall function 00054102: Sleep.KERNEL32(?,00000000,?,000285EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00014DBC), ref: 00054119
                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 000297A4
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCreateErrorFileHandleLastSleep
                                                                                                                          • String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
                                                                                                                          • API String ID: 1275171361-1187406825
                                                                                                                          • Opcode ID: 7924cad3ad0d72c1c8a8bb241ff687325a7ac80975d8702690c99f636d58a2d2
                                                                                                                          • Instruction ID: 888ca9d84663ad1c61c897652563c1295af7653de2415cd64cfd31e5dd3819d3
                                                                                                                          • Opcode Fuzzy Hash: 7924cad3ad0d72c1c8a8bb241ff687325a7ac80975d8702690c99f636d58a2d2
                                                                                                                          • Instruction Fuzzy Hash: 42212432A942357BE7321A14AC4AFFF366DDF41B65F100114FE08BE2C2D666AD00D6E5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00016F85 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00016FB2
                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 000171BE
                                                                                                                          Strings
                                                                                                                          • Failed to set variable., xrefs: 00017192
                                                                                                                          • Unsupported variable type., xrefs: 00017184
                                                                                                                          • Failed to read variable value as string., xrefs: 0001718B
                                                                                                                          • Failed to read variable included flag., xrefs: 000171AE
                                                                                                                          • Failed to read variable count., xrefs: 00016FD2
                                                                                                                          • Failed to read variable value as number., xrefs: 00017178
                                                                                                                          • Failed to set variable value., xrefs: 00017171
                                                                                                                          • Failed to read variable name., xrefs: 000171A7
                                                                                                                          • Failed to read variable literal flag., xrefs: 00017199
                                                                                                                          • Failed to read variable value type., xrefs: 000171A0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                          • String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
                                                                                                                          • API String ID: 3168844106-528957463
                                                                                                                          • Opcode ID: d6d770a2e7f87f95aa69885e085c9468ce29b6cb2e620ce909dc5969313b473a
                                                                                                                          • Instruction ID: 214df6589c6b34e111779de05a99485ab3606a043ce49363ac363a2d09faa89a
                                                                                                                          • Opcode Fuzzy Hash: d6d770a2e7f87f95aa69885e085c9468ce29b6cb2e620ce909dc5969313b473a
                                                                                                                          • Instruction Fuzzy Hash: 0C717F71C0561ABBDF22DEA8CD45EEFBBB9EB04710F114122FD04A7161D7319E949BA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000544D1 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 00054550
                                                                                                                          • GetLastError.KERNEL32 ref: 00054566
                                                                                                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 000545BF
                                                                                                                          • GetLastError.KERNEL32 ref: 000545C9
                                                                                                                          • SetFilePointer.KERNEL32(00000000,?,?,00000001), ref: 0005461D
                                                                                                                          • GetLastError.KERNEL32 ref: 00054628
                                                                                                                          • ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000001), ref: 00054717
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0005478A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$ErrorLast$CloseCreateHandlePointerReadSize
                                                                                                                          • String ID: fileutil.cpp
                                                                                                                          • API String ID: 3286166115-2967768451
                                                                                                                          • Opcode ID: 34799f97a0d3b0f5686379059baf04cdc02c209585db5f8e04748f256f5243c7
                                                                                                                          • Instruction ID: 35f18ac849cef5c40e88fd078a788b6aaf61ac5b70d155b4ac581c422c39b752
                                                                                                                          • Opcode Fuzzy Hash: 34799f97a0d3b0f5686379059baf04cdc02c209585db5f8e04748f256f5243c7
                                                                                                                          • Instruction Fuzzy Hash: 84815736A40626EBDB308E588C45BFF36D8EF0176AF110119FD05EB281E774DD888AD1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00013076 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 210COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 000130C1
                                                                                                                          • GetLastError.KERNEL32 ref: 000130C7
                                                                                                                          • ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 00013121
                                                                                                                          • GetLastError.KERNEL32 ref: 00013127
                                                                                                                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000131DB
                                                                                                                          • GetLastError.KERNEL32 ref: 000131E5
                                                                                                                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0001323B
                                                                                                                          • GetLastError.KERNEL32 ref: 00013245
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
                                                                                                                          • String ID: @$pathutil.cpp
                                                                                                                          • API String ID: 1547313835-3022285739
                                                                                                                          • Opcode ID: 5cd32d5721b9429c6d6980bd04fe8e25fd485b217a1a6bbb81e91fcc647b3099
                                                                                                                          • Instruction ID: f185374cdc4cb72a49d4d9322e8230ba95d24146ebaa7ce2987075b8b02ce161
                                                                                                                          • Opcode Fuzzy Hash: 5cd32d5721b9429c6d6980bd04fe8e25fd485b217a1a6bbb81e91fcc647b3099
                                                                                                                          • Instruction Fuzzy Hash: 23619173D00629BBDB31AAE58845BDEBBE8AB04761F114165EE00BB251E775DF8087E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00056D50 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 165COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,74DEDFD0,?,000572C8,?,?), ref: 00056DA6
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00056E11
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00056E89
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00056EC8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$Free$Compare
                                                                                                                          • String ID: `<u$label$scheme$term
                                                                                                                          • API String ID: 1324494773-4028212031
                                                                                                                          • Opcode ID: 39fffe36369d0af377eb29affb3156d8bbccc2a63d9d9d42cfe9a499d9f80f83
                                                                                                                          • Instruction ID: bd89ffe76857d259cd704c0d853b06c6f17db1750b8a49fcefafd62a04823297
                                                                                                                          • Opcode Fuzzy Hash: 39fffe36369d0af377eb29affb3156d8bbccc2a63d9d9d42cfe9a499d9f80f83
                                                                                                                          • Instruction Fuzzy Hash: 24517F39D02219FBDB15CB94CC45FAFBBB8EF04712F604698E911A71A1DB32AE04DB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00024D8D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • UuidCreate.RPCRT4(?), ref: 00024DC0
                                                                                                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 00024DEF
                                                                                                                          • UuidCreate.RPCRT4(?), ref: 00024E3A
                                                                                                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 00024E66
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateFromStringUuid
                                                                                                                          • String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
                                                                                                                          • API String ID: 4041566446-2510341293
                                                                                                                          • Opcode ID: fb6549acf7e52dd948a4dffb75ed0f8145cef64ef4bccc5cae7d7c78972fa9eb
                                                                                                                          • Instruction ID: 7be1cf556ec3dba89c69cff4da16645b07f9e325e90263d09ef646a993463ef0
                                                                                                                          • Opcode Fuzzy Hash: fb6549acf7e52dd948a4dffb75ed0f8145cef64ef4bccc5cae7d7c78972fa9eb
                                                                                                                          • Instruction Fuzzy Hash: 24418C72D00318ABEF20DBE4DD45EDFB7F9AB44711F210526E905BF241D6749A45CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002EA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,0001548E,?,?), ref: 0002EA9D
                                                                                                                          • GetLastError.KERNEL32(?,0001548E,?,?), ref: 0002EAAA
                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,0002E7B4,?,00000000,00000000), ref: 0002EB03
                                                                                                                          • GetLastError.KERNEL32(?,0001548E,?,?), ref: 0002EB10
                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,0001548E,?,?), ref: 0002EB4B
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,0001548E,?,?), ref: 0002EB6A
                                                                                                                          • CloseHandle.KERNEL32(?,?,0001548E,?,?), ref: 0002EB77
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                                                                                                                          • String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
                                                                                                                          • API String ID: 2351989216-3599963359
                                                                                                                          • Opcode ID: 06d46cc56164f2a368e2ca1bf6939d07f57ed84ebd6e8db24d271085ff244acd
                                                                                                                          • Instruction ID: a4d6e5b65e7a60a605d3b002a040f123f2013f09444b0989c1c470fd98968c52
                                                                                                                          • Opcode Fuzzy Hash: 06d46cc56164f2a368e2ca1bf6939d07f57ed84ebd6e8db24d271085ff244acd
                                                                                                                          • Instruction Fuzzy Hash: B8317276D41229BBEB119F99DD85A9FBAECFF04751F110165FA05F7280E730AE0086A1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002E645 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,0001548E,?,?), ref: 0002E666
                                                                                                                          • GetLastError.KERNEL32(?,?,0001548E,?,?), ref: 0002E673
                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,0002E3C8,00000000,00000000,00000000), ref: 0002E6D2
                                                                                                                          • GetLastError.KERNEL32(?,?,0001548E,?,?), ref: 0002E6DF
                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,0001548E,?,?), ref: 0002E71A
                                                                                                                          • CloseHandle.KERNEL32(?,?,?,0001548E,?,?), ref: 0002E72E
                                                                                                                          • CloseHandle.KERNEL32(?,?,?,0001548E,?,?), ref: 0002E73B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                                                                                                                          • String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
                                                                                                                          • API String ID: 2351989216-1977201954
                                                                                                                          • Opcode ID: 8be087dc0d4b90f8e7c340252ecb4eb2323b1819ee49fbc975b084e4363ded9f
                                                                                                                          • Instruction ID: 5f9efb025e6fddc9cf2b1cbf8cd223b3db089f5da16986d9a20328b57737e6ef
                                                                                                                          • Opcode Fuzzy Hash: 8be087dc0d4b90f8e7c340252ecb4eb2323b1819ee49fbc975b084e4363ded9f
                                                                                                                          • Instruction Fuzzy Hash: E1319176D40229BBDB218B99EC099AFBBF8EF44751F114166FE10F7240E7349A00CAE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000314E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,74DF2F60,?,?,00015405,000153BD,00000000,00015445), ref: 00031506
                                                                                                                          • GetLastError.KERNEL32 ref: 00031519
                                                                                                                          • GetExitCodeThread.KERNEL32(0005B488,?), ref: 0003155B
                                                                                                                          • GetLastError.KERNEL32 ref: 00031569
                                                                                                                          • ResetEvent.KERNEL32(0005B460), ref: 000315A4
                                                                                                                          • GetLastError.KERNEL32 ref: 000315AE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                                                                                                                          • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
                                                                                                                          • API String ID: 2979751695-3400260300
                                                                                                                          • Opcode ID: f1d5f36c0bdc37311e5bcb2e951eb3d6a57cc08f1e5fb1eb8d06cd92135f3895
                                                                                                                          • Instruction ID: d0b1a94ce389e57616b60b524c9f21da3e6017cd31836fd58302ab2436c92836
                                                                                                                          • Opcode Fuzzy Hash: f1d5f36c0bdc37311e5bcb2e951eb3d6a57cc08f1e5fb1eb8d06cd92135f3895
                                                                                                                          • Instruction Fuzzy Hash: E531B471B00705EBEB11AFA58D01AFF77FCEB48701F20415AF906EA1A0E735DA009B61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000315FE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetEvent.KERNEL32(0005B478,?,00000000,?,0001C1D3,?,000153BD,00000000,?,0002784D,?,0001566D,00015479,00015479,00000000,?), ref: 0003161B
                                                                                                                          • GetLastError.KERNEL32(?,0001C1D3,?,000153BD,00000000,?,0002784D,?,0001566D,00015479,00015479,00000000,?,00015489,FFF9E89D,00015489), ref: 00031625
                                                                                                                          • WaitForSingleObject.KERNEL32(0005B488,000000FF,?,0001C1D3,?,000153BD,00000000,?,0002784D,?,0001566D,00015479,00015479,00000000,?,00015489), ref: 0003165F
                                                                                                                          • GetLastError.KERNEL32(?,0001C1D3,?,000153BD,00000000,?,0002784D,?,0001566D,00015479,00015479,00000000,?,00015489,FFF9E89D,00015489), ref: 00031669
                                                                                                                          • CloseHandle.KERNEL32(00000000,00015489,?,00000000,?,0001C1D3,?,000153BD,00000000,?,0002784D,?,0001566D,00015479,00015479,00000000), ref: 000316B4
                                                                                                                          • CloseHandle.KERNEL32(00000000,00015489,?,00000000,?,0001C1D3,?,000153BD,00000000,?,0002784D,?,0001566D,00015479,00015479,00000000), ref: 000316C3
                                                                                                                          • CloseHandle.KERNEL32(00000000,00015489,?,00000000,?,0001C1D3,?,000153BD,00000000,?,0002784D,?,0001566D,00015479,00015479,00000000), ref: 000316D2
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseHandle$ErrorLast$EventObjectSingleWait
                                                                                                                          • String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
                                                                                                                          • API String ID: 1206859064-226982402
                                                                                                                          • Opcode ID: 05a7d87b13a2653e82492ee23ddb9cb91fbedf4b85beca6cb741ca32946e5b17
                                                                                                                          • Instruction ID: fec8f2196e4f38ae243b937debc5af10fa74bf2244e889f58761f7be901efed3
                                                                                                                          • Opcode Fuzzy Hash: 05a7d87b13a2653e82492ee23ddb9cb91fbedf4b85beca6cb741ca32946e5b17
                                                                                                                          • Instruction Fuzzy Hash: 3921C932641A22B7D7325B95CC0A7D6B6E8BF0C722F150215E904759A0D779EC50CEE9
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000241EC Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00050523: EnterCriticalSection.KERNEL32(0007B5FC,00000000,?,?,?,00024207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000154FA,?), ref: 00050533
                                                                                                                            • Part of subcall function 00050523: LeaveCriticalSection.KERNEL32(0007B5FC,?,?,0007B5F4,?,00024207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000154FA,?), ref: 0005067A
                                                                                                                          • OpenEventLogW.ADVAPI32(00000000,Application), ref: 00024212
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 0002421E
                                                                                                                          • ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,000639D4,00000000), ref: 0002426B
                                                                                                                          • CloseEventLog.ADVAPI32(00000000), ref: 00024272
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
                                                                                                                          • String ID: Application$Failed to open Application event log$Setup$_Failed$logging.cpp$txt
                                                                                                                          • API String ID: 1844635321-1389066741
                                                                                                                          • Opcode ID: 6680f9f6dff5e4e2453e9c7e1c8d2af1b46056912daa546755b05486d69b0b80
                                                                                                                          • Instruction ID: 8eada72f21a5160d548ca5fba02f9406e194f25330777d73d8995f9cfc46ad1c
                                                                                                                          • Opcode Fuzzy Hash: 6680f9f6dff5e4e2453e9c7e1c8d2af1b46056912daa546755b05486d69b0b80
                                                                                                                          • Instruction Fuzzy Hash: DFF08136A81771BAA73126626C0EDBFAC6CDBC6F227411114BF10F9182DB48990585F5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000293FE Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 226COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 0002949E
                                                                                                                          • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 000294C6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast
                                                                                                                          • String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
                                                                                                                          • API String ID: 1452528299-4263581490
                                                                                                                          • Opcode ID: 048a633985f547be946d40ce3f0578d651ab9d8b5a16e78315c6c476848629a0
                                                                                                                          • Instruction ID: 7ae5682b0dfa1468ea01d71350e1339d075049995a397a29342644a5f4391a47
                                                                                                                          • Opcode Fuzzy Hash: 048a633985f547be946d40ce3f0578d651ab9d8b5a16e78315c6c476848629a0
                                                                                                                          • Instruction Fuzzy Hash: FF715F72D00639ABDB21DFD4DC45BEEB7F8AB08710F110126FA15BB291E7359D458BA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002E56C Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 0002E577
                                                                                                                          • DefWindowProcW.USER32(?,00000082,?,?), ref: 0002E5B5
                                                                                                                          • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0002E5C2
                                                                                                                          • SetWindowLongW.USER32(?,000000EB,?), ref: 0002E5D1
                                                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 0002E5DF
                                                                                                                          • CreateCompatibleDC.GDI32(?), ref: 0002E5EB
                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0002E5FC
                                                                                                                          • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0002E61E
                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0002E626
                                                                                                                          • DeleteDC.GDI32(00000000), ref: 0002E629
                                                                                                                          • PostQuitMessage.USER32(00000000), ref: 0002E637
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 409979828-0
                                                                                                                          • Opcode ID: 7bbc6b3d941d0b2f3290a3f728b9a64bbbdfef88335dd07de7200b659bbd6aa4
                                                                                                                          • Instruction ID: ab7e94c513bfd48816e2fb0f3e64403cf5eb0a9f12923519502624f1b55b696f
                                                                                                                          • Opcode Fuzzy Hash: 7bbc6b3d941d0b2f3290a3f728b9a64bbbdfef88335dd07de7200b659bbd6aa4
                                                                                                                          • Instruction Fuzzy Hash: 5F21BA32140264BFEB245F68EC0CD7F7FA8FF49762B054658F616961B0D775A810DB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002A13A Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 222COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          • WixBundleLastUsedSource, xrefs: 0002A1A1
                                                                                                                          • Failed to combine layout source with source., xrefs: 0002A2A4
                                                                                                                          • Failed to copy source path., xrefs: 0002A31A
                                                                                                                          • Failed to combine last source with source., xrefs: 0002A210
                                                                                                                          • Failed to get current process directory., xrefs: 0002A1F3
                                                                                                                          • WixBundleOriginalSource, xrefs: 0002A1B7
                                                                                                                          • Failed to get bundle layout directory property., xrefs: 0002A287
                                                                                                                          • WixBundleLayoutDirectory, xrefs: 0002A26C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Find$CloseFileFirstlstrlen
                                                                                                                          • String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
                                                                                                                          • API String ID: 2767606509-3003062821
                                                                                                                          • Opcode ID: dc389cba04d73713069657b9aba28b816bb3020f2e04cd95ce9c15f775b3e39b
                                                                                                                          • Instruction ID: dc560dd3abf03858bee7d03d591a5f83b7d42e6e375fe88743676b41b1ed0072
                                                                                                                          • Opcode Fuzzy Hash: dc389cba04d73713069657b9aba28b816bb3020f2e04cd95ce9c15f775b3e39b
                                                                                                                          • Instruction Fuzzy Hash: 44717E71E00229AFDF11DFA8E841AEEB7F9AF09310F150525F901F7251DB759D448B62
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00012DBF Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 203sleepfiletimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00012E5F
                                                                                                                          • GetLastError.KERNEL32 ref: 00012E69
                                                                                                                          • GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00012F09
                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00012F96
                                                                                                                          • GetLastError.KERNEL32 ref: 00012FA3
                                                                                                                          • Sleep.KERNEL32(00000064), ref: 00012FB7
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0001301F
                                                                                                                          Strings
                                                                                                                          • %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00012F66
                                                                                                                          • pathutil.cpp, xrefs: 00012E8D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
                                                                                                                          • String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
                                                                                                                          • API String ID: 3480017824-1101990113
                                                                                                                          • Opcode ID: 78132fcad5d287b1a2a4caca5a7b66cd4b421c63ebe2202a090b7dad8961d6e5
                                                                                                                          • Instruction ID: ea2cf2eabefedd9117f20d79b9470f524a55bba338c7b68e3789ce61031fe8be
                                                                                                                          • Opcode Fuzzy Hash: 78132fcad5d287b1a2a4caca5a7b66cd4b421c63ebe2202a090b7dad8961d6e5
                                                                                                                          • Instruction Fuzzy Hash: F5715F72D01229ABDB719FA4DC49BEEB7F8AB08711F0101A5FA04A7191D7349ED18FA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001CBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,000153BD,00000000,00015489,00015445,WixBundleUILevel,840F01E8,?,00000001), ref: 0001CC1C
                                                                                                                          Strings
                                                                                                                          • Failed to find embedded payload: %ls, xrefs: 0001CC48
                                                                                                                          • Failed to extract file., xrefs: 0001CCE7
                                                                                                                          • Failed to get directory portion of local file path, xrefs: 0001CCF5
                                                                                                                          • payload.cpp, xrefs: 0001CD1D
                                                                                                                          • Payload was not found in container: %ls, xrefs: 0001CD29
                                                                                                                          • Failed to concat file paths., xrefs: 0001CCFC
                                                                                                                          • Failed to get next stream., xrefs: 0001CD03
                                                                                                                          • Failed to ensure directory exists, xrefs: 0001CCEE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareString
                                                                                                                          • String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
                                                                                                                          • API String ID: 1825529933-1711239286
                                                                                                                          • Opcode ID: 9629661f5c27a662b96569e8cadf65699920748e9b7308584377b5a399f2824c
                                                                                                                          • Instruction ID: d2f4e7ae79cf22ee1ec747afef48b46e7e642df68aeffd9010a62eb7d2bfafe7
                                                                                                                          • Opcode Fuzzy Hash: 9629661f5c27a662b96569e8cadf65699920748e9b7308584377b5a399f2824c
                                                                                                                          • Instruction Fuzzy Hash: 7041DD31980219EBEF259F88CC82DEEBBB5BF00711F118169ED05AB252D774DD80DB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00014796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 000147BB
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 000147C1
                                                                                                                          • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0001484F
                                                                                                                          Strings
                                                                                                                          • Failed to start bootstrapper application., xrefs: 0001481D
                                                                                                                          • wininet.dll, xrefs: 000147EE
                                                                                                                          • engine.cpp, xrefs: 0001489B
                                                                                                                          • Unexpected return value from message pump., xrefs: 000148A5
                                                                                                                          • Failed to load UX., xrefs: 00014804
                                                                                                                          • Failed to create engine for UX., xrefs: 000147DB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Message$CurrentPeekThread
                                                                                                                          • String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
                                                                                                                          • API String ID: 673430819-2573580774
                                                                                                                          • Opcode ID: cd731f5d0501e8b1439e7c5b3f1c9b4b7e6f5f55f8a7579965e6db47cfbc6a42
                                                                                                                          • Instruction ID: e443a1e09de857c223781b51726da1a3c0f28727a2237702a3f594e0f05e3578
                                                                                                                          • Opcode Fuzzy Hash: cd731f5d0501e8b1439e7c5b3f1c9b4b7e6f5f55f8a7579965e6db47cfbc6a42
                                                                                                                          • Instruction Fuzzy Hash: 5641A271A00655BFEB219BA4DC85EFFB7ACEF04325F100126F904EB1A1DB35AD8587A0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00039C84 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 128COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,0003B03E,?,00000001,00000000), ref: 00039D0F
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,0003B03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00039D19
                                                                                                                          • CopyFileExW.KERNEL32(00000000,00000000,00039B69,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00039D67
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,0003B03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00039D96
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLast$AttributesCopy
                                                                                                                          • String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
                                                                                                                          • API String ID: 1969131206-836986073
                                                                                                                          • Opcode ID: 09be1d20421d276a0afeb48fa33bcc1cc91a2a01537e3934e9079a122c6e3a65
                                                                                                                          • Instruction ID: d009ef79184d2f4b9e45168c22bc33fe2e200278ea0aa02beebd813337e62242
                                                                                                                          • Opcode Fuzzy Hash: 09be1d20421d276a0afeb48fa33bcc1cc91a2a01537e3934e9079a122c6e3a65
                                                                                                                          • Instruction Fuzzy Hash: 51312732B41226B7DB229A55CC46EBB77ADEF42B51F154118BD04EF241E7A4DD01CBE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00028EBC Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 00029007
                                                                                                                          Strings
                                                                                                                          • Failed to create ACL to secure cache path: %ls, xrefs: 00028FBB
                                                                                                                          • Failed to allocate access for Users group to path: %ls, xrefs: 00028F72
                                                                                                                          • Failed to allocate access for SYSTEM group to path: %ls, xrefs: 00028F30
                                                                                                                          • Failed to secure cache path: %ls, xrefs: 00028FEA
                                                                                                                          • cache.cpp, xrefs: 00028FB0
                                                                                                                          • Failed to allocate access for Administrators group to path: %ls, xrefs: 00028F0F
                                                                                                                          • Failed to allocate access for Everyone group to path: %ls, xrefs: 00028F51
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeLocal
                                                                                                                          • String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
                                                                                                                          • API String ID: 2826327444-4113288589
                                                                                                                          • Opcode ID: 90239418ee27bb4d2624b7123c0dcc817addc5944d413ecb288430e1d502e7a0
                                                                                                                          • Instruction ID: a3786e36c48e55625f9ae70cb49149b7bc024b0a288bfcb38b58f821a16f1566
                                                                                                                          • Opcode Fuzzy Hash: 90239418ee27bb4d2624b7123c0dcc817addc5944d413ecb288430e1d502e7a0
                                                                                                                          • Instruction Fuzzy Hash: 3841E336A42739B6DB719650DD02FEA7769AB40B10F5180A0FA08BA181DFB5AE4487A1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002492F Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ReadFile.KERNEL32(00000000,crypt32.dll,00000008,?,00000000,?,00000000,00000000,crypt32.dll,00000000,?,?,?,00000000,?,00000000), ref: 0002495A
                                                                                                                          • GetLastError.KERNEL32 ref: 00024967
                                                                                                                          • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 00024A12
                                                                                                                          • GetLastError.KERNEL32 ref: 00024A1C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastRead
                                                                                                                          • String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$crypt32.dll$pipe.cpp
                                                                                                                          • API String ID: 1948546556-773887359
                                                                                                                          • Opcode ID: ffd5d77df12224ee9980080dccf0c5adb0eb80b842487192776fd0920f1c682b
                                                                                                                          • Instruction ID: a2ec15d797fd4d83db3ca96db9ad90cbe4c0a31fd8081366331c16a0a76e826e
                                                                                                                          • Opcode Fuzzy Hash: ffd5d77df12224ee9980080dccf0c5adb0eb80b842487192776fd0920f1c682b
                                                                                                                          • Instruction Fuzzy Hash: 0E31E732D40239BBDB219B959C45BAFB7A8BB04B21F118129FD40AB181D7749D80C7D5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00056C29 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 114COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,74DEDFD0), ref: 00056C88
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 00056CA5
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00056CE3
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00056D27
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$CompareFree
                                                                                                                          • String ID: `<u$email$name$uri
                                                                                                                          • API String ID: 3589242889-1197142144
                                                                                                                          • Opcode ID: 1823cd732f9ac7e4b53381d2d895b74b43b90f2746f0737b3fa7a9e6034affa6
                                                                                                                          • Instruction ID: dad79755af8e9b779b40a97c2ed08904304d0ddff102787dbf037e433d9407f4
                                                                                                                          • Opcode Fuzzy Hash: 1823cd732f9ac7e4b53381d2d895b74b43b90f2746f0737b3fa7a9e6034affa6
                                                                                                                          • Instruction Fuzzy Hash: 49419335E01218BBDB119B90CD44FAEBBB4EF04322F6046A4ED10AB1E0C7369E08DB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002E2AF Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadBitmapW.USER32(?,00000001), ref: 0002E2E5
                                                                                                                          • GetLastError.KERNEL32 ref: 0002E2F1
                                                                                                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 0002E338
                                                                                                                          • GetCursorPos.USER32(?), ref: 0002E359
                                                                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 0002E36B
                                                                                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 0002E381
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
                                                                                                                          • String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
                                                                                                                          • API String ID: 2342928100-598475503
                                                                                                                          • Opcode ID: 73ee4be5eaad74b9c22e85f152c231709c27adda2bac726b0c2a5e709f862be5
                                                                                                                          • Instruction ID: ff0491cc232d27793fc8621d5c7eec88b067f173c8f4b92e395fa464d3c06a49
                                                                                                                          • Opcode Fuzzy Hash: 73ee4be5eaad74b9c22e85f152c231709c27adda2bac726b0c2a5e709f862be5
                                                                                                                          • Instruction Fuzzy Hash: D5315375A402199FDB10DFA8D949A9EBBF4FF08711F148119F904FB281DB74E904CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000250CA Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcessId.KERNEL32(?,00000000,?,?,0005B500), ref: 000250D3
                                                                                                                          • GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 00025171
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0002518A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$CloseCurrentHandle
                                                                                                                          • String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
                                                                                                                          • API String ID: 2815245435-1352204306
                                                                                                                          • Opcode ID: d9e609c160808106e9d791e8793d43e47db7b06ded72a1430ad211484c393a84
                                                                                                                          • Instruction ID: acb60f984a09aa659d0b4e22c08bef0573af79c1b5e4f8d6ffa35d5033b18dee
                                                                                                                          • Opcode Fuzzy Hash: d9e609c160808106e9d791e8793d43e47db7b06ded72a1430ad211484c393a84
                                                                                                                          • Instruction Fuzzy Hash: C4218B75D0062CFFDF119F94DC429EEBBB9EF04352B40816AF915A3211D7359E209B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00016882 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 75libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 000168AC
                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 000168B3
                                                                                                                          • GetLastError.KERNEL32 ref: 000168BD
                                                                                                                          Strings
                                                                                                                          • Failed to get msi.dll version info., xrefs: 00016905
                                                                                                                          • Failed to set variant value., xrefs: 00016929
                                                                                                                          • msi, xrefs: 000168A3
                                                                                                                          • DllGetVersion, xrefs: 0001689E
                                                                                                                          • Failed to find DllGetVersion entry point in msi.dll., xrefs: 000168EB
                                                                                                                          • variable.cpp, xrefs: 000168E1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressErrorHandleLastModuleProc
                                                                                                                          • String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
                                                                                                                          • API String ID: 4275029093-842451892
                                                                                                                          • Opcode ID: 05c6bb9bdf621d2501c65ccf3a092ec1451286cf901d598420996bd4e04e679b
                                                                                                                          • Instruction ID: 670474ebec75dec546a23fccbdcd1ce460dd63ae499976918aec302fd517eed2
                                                                                                                          • Opcode Fuzzy Hash: 05c6bb9bdf621d2501c65ccf3a092ec1451286cf901d598420996bd4e04e679b
                                                                                                                          • Instruction Fuzzy Hash: 34118776E4173977E7206BA89C46AFF7B989B08711F01051AFE01FA181EA759D4482E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001D6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,000147FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0001548E,?), ref: 0001D6DA
                                                                                                                          • GetLastError.KERNEL32(?,000147FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0001548E,?,?), ref: 0001D6E7
                                                                                                                          • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0001D71F
                                                                                                                          • GetLastError.KERNEL32(?,000147FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0001548E,?,?), ref: 0001D72B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$AddressLibraryLoadProc
                                                                                                                          • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
                                                                                                                          • API String ID: 1866314245-2276003667
                                                                                                                          • Opcode ID: 21020e353483eb8a50b3ced4712f8a76d86ad4e01df2cf841384f4f3a9026754
                                                                                                                          • Instruction ID: ffecc83f8856c696fb46800c0e3f4d2b26f846e55dc22cac9f2f67e1ca03cf70
                                                                                                                          • Opcode Fuzzy Hash: 21020e353483eb8a50b3ced4712f8a76d86ad4e01df2cf841384f4f3a9026754
                                                                                                                          • Instruction Fuzzy Hash: 71119137A85732A7DB3156959C09BAB7B94AF05B62F010536FE54EB2C0EB28EC4087D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00011175 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0001111A,cabinet.dll,00000009,?,?,00000000), ref: 00011186
                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0001111A,cabinet.dll,00000009,?,?,00000000), ref: 00011191
                                                                                                                          • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0001119F
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,0001111A,cabinet.dll,00000009,?,?,00000000), ref: 000111BA
                                                                                                                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000111C2
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,0001111A,cabinet.dll,00000009,?,?,00000000), ref: 000111D7
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressErrorLastProc$HandleHeapInformationModule
                                                                                                                          • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
                                                                                                                          • API String ID: 3104334766-1824683568
                                                                                                                          • Opcode ID: 89e8b66d199711f291be3aea38c182a0b61c4f33a1a74935401ebf20730304ca
                                                                                                                          • Instruction ID: d42ec714f4835744ce07b4c32cea116cd5eaf76f6d5bcebf0311ce54682a268b
                                                                                                                          • Opcode Fuzzy Hash: 89e8b66d199711f291be3aea38c182a0b61c4f33a1a74935401ebf20730304ca
                                                                                                                          • Instruction Fuzzy Hash: 56017531600716BB9B646FA69C49EFFBB9CFB41792B004011FF1596140EB70E985CBB0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002F639 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0002F64E
                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0002F7C9
                                                                                                                          Strings
                                                                                                                          • Failed to set download URL., xrefs: 0002F728
                                                                                                                          • Failed to set download user., xrefs: 0002F751
                                                                                                                          • Engine is active, cannot change engine state., xrefs: 0002F668
                                                                                                                          • UX requested unknown container with id: %ls, xrefs: 0002F6F3
                                                                                                                          • Failed to set download password., xrefs: 0002F777
                                                                                                                          • UX requested unknown payload with id: %ls, xrefs: 0002F6A3
                                                                                                                          • UX denied while trying to set download URL on embedded payload: %ls, xrefs: 0002F6B9
                                                                                                                          • UX did not provide container or payload id., xrefs: 0002F7B8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                          • String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                                                                                                                          • API String ID: 3168844106-2615595102
                                                                                                                          • Opcode ID: 6d3f92d5b8615a798241b3ca113c7db70f30bd183febdc70512a9efff86e50e6
                                                                                                                          • Instruction ID: faf06038e8fe2ae32e2d7f406b89c67ee0dc5811c9b2500f7d890a191cec2839
                                                                                                                          • Opcode Fuzzy Hash: 6d3f92d5b8615a798241b3ca113c7db70f30bd183febdc70512a9efff86e50e6
                                                                                                                          • Instruction Fuzzy Hash: 5641E732604633ABCB61AF24EC49EBAB3B8EF01791F154136F805AB251DB75ED50CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00055A5E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196filememoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 00055A9B
                                                                                                                          • GetLastError.KERNEL32 ref: 00055AA9
                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00055AEA
                                                                                                                          • GetLastError.KERNEL32 ref: 00055AF7
                                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00055C6A
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00055C79
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
                                                                                                                          • String ID: GET$dlutil.cpp
                                                                                                                          • API String ID: 2028584396-3303425918
                                                                                                                          • Opcode ID: 3d85a28aa9a8a52c909a42bd6d40f7b104f936fcb79dfa893bc90386cfa75704
                                                                                                                          • Instruction ID: 44bca4bbb340b6fa80797adf79424016ffdd4bb8a0350446ea21307b8cbde219
                                                                                                                          • Opcode Fuzzy Hash: 3d85a28aa9a8a52c909a42bd6d40f7b104f936fcb79dfa893bc90386cfa75704
                                                                                                                          • Instruction Fuzzy Hash: A4614972A00619AFEB61CFA4CC59BEFBBB8AB48753F114119FE15B7240E73499448B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00020C50 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00021020: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,00020C6F,?,00000000,?,00000000,00000000), ref: 0002104F
                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 00020DF3
                                                                                                                          • GetLastError.KERNEL32 ref: 00020E00
                                                                                                                          Strings
                                                                                                                          • Failed to append cache action., xrefs: 00020D4A
                                                                                                                          • Failed to create syncpoint event., xrefs: 00020E2E
                                                                                                                          • Failed to append package start action., xrefs: 00020C95
                                                                                                                          • Failed to append rollback cache action., xrefs: 00020CCF
                                                                                                                          • plan.cpp, xrefs: 00020E24
                                                                                                                          • Failed to append payload cache action., xrefs: 00020DAA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareCreateErrorEventLastString
                                                                                                                          • String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
                                                                                                                          • API String ID: 801187047-2489563283
                                                                                                                          • Opcode ID: 651a252bdbc3d83dc5fb1f5d89a69f1f349ce0c64b16cb74860370e3a6a80506
                                                                                                                          • Instruction ID: 79193550a71ef8367b42ffe890a5dca624807c49228def2293a9d579a8cfbbbe
                                                                                                                          • Opcode Fuzzy Hash: 651a252bdbc3d83dc5fb1f5d89a69f1f349ce0c64b16cb74860370e3a6a80506
                                                                                                                          • Instruction Fuzzy Hash: F0617FB5500715EFCB15DF58D9809AEBBFAFF84310F22845AE9099B212EB31EE41DB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00056EFF Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,74DEDFD0,000000FF,type,000000FF,?,74DEDFD0,74DEDFD0,74DEDFD0), ref: 00056F55
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00056FA0
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0005701C
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00057068
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$Free$Compare
                                                                                                                          • String ID: `<u$type$url
                                                                                                                          • API String ID: 1324494773-1686489133
                                                                                                                          • Opcode ID: 5a09e52602afff26bd91c3254e3c163d8778c79fe893fb27148a61f34b2e191e
                                                                                                                          • Instruction ID: 2f0c8f9db98e71bfccb92eae38274ad84ee16fd004e37c4726a8cd6dd2f66065
                                                                                                                          • Opcode Fuzzy Hash: 5a09e52602afff26bd91c3254e3c163d8778c79fe893fb27148a61f34b2e191e
                                                                                                                          • Instruction Fuzzy Hash: 3C515F35D05219EFCB25DF94D844EAFBBF8AF04312F2042A9E915EB1A1D7329E08DB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000205A2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 133registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,0005B500,00000000,?), ref: 000206D3
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,0005B500,00000000,?), ref: 000206E2
                                                                                                                            • Part of subcall function 00050BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,0002061A,?,00000000,00020006), ref: 00050C0E
                                                                                                                          Strings
                                                                                                                          • %ls.RebootRequired, xrefs: 000205F0
                                                                                                                          • Failed to open registration key., xrefs: 0002071A
                                                                                                                          • Failed to write volatile reboot required registry key., xrefs: 0002061E
                                                                                                                          • crypt32.dll, xrefs: 000205AC
                                                                                                                          • Failed to delete registration key: %ls, xrefs: 00020681
                                                                                                                          • Failed to update resume mode., xrefs: 000206B7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$Create
                                                                                                                          • String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.$crypt32.dll
                                                                                                                          • API String ID: 359002179-3398658923
                                                                                                                          • Opcode ID: 0a7d9fb0157900b354fc227db35d19505b25896f6c6f2f4aafb001326de5b721
                                                                                                                          • Instruction ID: dd68fb284ec63f7d242f6aec26c21be13bf753e5464fde8c42d2ca30f8ea6562
                                                                                                                          • Opcode Fuzzy Hash: 0a7d9fb0157900b354fc227db35d19505b25896f6c6f2f4aafb001326de5b721
                                                                                                                          • Instruction Fuzzy Hash: 23419331900729FBDF22AF60ED0AEEF7BBAAF80311F144419F905A1153D7729A64DB51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001F451 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 0001F48A
                                                                                                                            • Part of subcall function 00014115: CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,0002A0E8,00000000,00000000,?,00000000,000153BD,00000000,?,?,0001D5B5,?), ref: 00014123
                                                                                                                            • Part of subcall function 00014115: GetLastError.KERNEL32(?,0002A0E8,00000000,00000000,?,00000000,000153BD,00000000,?,?,0001D5B5,?,00000000,00000000), ref: 00014131
                                                                                                                          • lstrlenA.KERNEL32(0005B500,00000000,00000094,00000000,00000094,?,?,000204BF,swidtag,00000094,?,0005B518,000204BF,00000000,?,00000000), ref: 0001F4DD
                                                                                                                            • Part of subcall function 00054DB3: CreateFileW.KERNEL32(0005B500,40000000,00000001,00000000,00000002,00000080,00000000,000204BF,00000000,?,0001F4F4,?,00000080,0005B500,00000000), ref: 00054DCB
                                                                                                                            • Part of subcall function 00054DB3: GetLastError.KERNEL32(?,0001F4F4,?,00000080,0005B500,00000000,?,000204BF,?,00000094,?,?,?,?,?,00000000), ref: 00054DD8
                                                                                                                          Strings
                                                                                                                          • Failed to allocate regid folder path., xrefs: 0001F53C
                                                                                                                          • Failed to create regid folder: %ls, xrefs: 0001F525
                                                                                                                          • Failed to format tag folder path., xrefs: 0001F543
                                                                                                                          • swidtag, xrefs: 0001F49D
                                                                                                                          • Failed to allocate regid file path., xrefs: 0001F535
                                                                                                                          • Failed to write tag xml to file: %ls, xrefs: 0001F51B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
                                                                                                                          • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
                                                                                                                          • API String ID: 904508749-1201533908
                                                                                                                          • Opcode ID: 4ab88a77cb7560cb6ca8d58b81a03bed4ae13a55de3e895552411af42bd6569e
                                                                                                                          • Instruction ID: 28076ddf786f6cbab7e36c83c91f045bfd928f052ffa3d7e092e352d34510cd9
                                                                                                                          • Opcode Fuzzy Hash: 4ab88a77cb7560cb6ca8d58b81a03bed4ae13a55de3e895552411af42bd6569e
                                                                                                                          • Instruction Fuzzy Hash: CC318F31D00A1AFBDF21AF94CC41BEDBBB6AF04711F144175EA14BB262E7719E909B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000253E2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 91synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,0001548E,00000000,00000000,?,00000000), ref: 0002548B
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00014C61,?,?,00000000,?,?,?,?,?,?,0005B4A0,?,?), ref: 00025496
                                                                                                                          Strings
                                                                                                                          • Failed to post terminate message to child process., xrefs: 00025476
                                                                                                                          • Failed to wait for child process exit., xrefs: 000254C4
                                                                                                                          • pipe.cpp, xrefs: 000254BA
                                                                                                                          • Failed to post terminate message to child process cache thread., xrefs: 0002545A
                                                                                                                          • Failed to write exit code to message buffer., xrefs: 00025406
                                                                                                                          • Failed to write restart to message buffer., xrefs: 0002542E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastObjectSingleWait
                                                                                                                          • String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
                                                                                                                          • API String ID: 1211598281-2161881128
                                                                                                                          • Opcode ID: 3514eead4a04dab2152a82957845195a8c588b0760468299e74049bd1fc4bc9e
                                                                                                                          • Instruction ID: 87e8899688522010d7d805dad035ce342665eb62b3a2f855922ba847b658335e
                                                                                                                          • Opcode Fuzzy Hash: 3514eead4a04dab2152a82957845195a8c588b0760468299e74049bd1fc4bc9e
                                                                                                                          • Instruction Fuzzy Hash: F321E633941A35BBDB226A50EC05EDEF769AF0173BF104252F900BA191D735AD9096E8
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00029098 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,00029F04,00000003,000007D0,00000003,?,000007D0), ref: 000290B2
                                                                                                                          • GetLastError.KERNEL32(?,00029F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 000290BF
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00029F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 00029187
                                                                                                                          Strings
                                                                                                                          • Failed to verify catalog signature of payload: %ls, xrefs: 0002914E
                                                                                                                          • Failed to verify signature of payload: %ls, xrefs: 0002912F
                                                                                                                          • Failed to verify hash of payload: %ls, xrefs: 00029172
                                                                                                                          • cache.cpp, xrefs: 000290F6
                                                                                                                          • Failed to open payload at path: %ls, xrefs: 00029103
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCreateErrorFileHandleLast
                                                                                                                          • String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
                                                                                                                          • API String ID: 2528220319-2757871984
                                                                                                                          • Opcode ID: 0e42b7adfd6bee3779f7bfe8f741a484ae50fd4705dc2c05027f66a9c11f8b08
                                                                                                                          • Instruction ID: 4bf6492ca280c1b721f224847e27033156baff072d16e8d10b0f8a036baa93ec
                                                                                                                          • Opcode Fuzzy Hash: 0e42b7adfd6bee3779f7bfe8f741a484ae50fd4705dc2c05027f66a9c11f8b08
                                                                                                                          • Instruction Fuzzy Hash: A621F136540637B7EB321A65AC4DBAF7A59BF00760F104311FE186A1A1D7229C71EAD1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00016B1E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00016B69
                                                                                                                          • GetLastError.KERNEL32 ref: 00016B73
                                                                                                                          • GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 00016BB7
                                                                                                                          • GetLastError.KERNEL32 ref: 00016BC1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$DirectoryNamePathVolumeWindows
                                                                                                                          • String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
                                                                                                                          • API String ID: 124030351-4026719079
                                                                                                                          • Opcode ID: e700b7d6a0dca3c22aa757c4d1f522fe2efe73e402cdd2d0a10ed88912f28fa4
                                                                                                                          • Instruction ID: eda82c649cfeb2c2a9bd92acb3780d656b9cf778315e18b73c71a9a361edf636
                                                                                                                          • Opcode Fuzzy Hash: e700b7d6a0dca3c22aa757c4d1f522fe2efe73e402cdd2d0a10ed88912f28fa4
                                                                                                                          • Instruction Fuzzy Hash: F221D377E4133967E73097948D46FEF76AC9B00B11F010166BE04FB182EA39AE8086E5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00019C6D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 00019C88
                                                                                                                          • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,000002C0,?,0001A895,00000100,000002C0,000002C0,?,000002C0), ref: 00019CA0
                                                                                                                          • GetLastError.KERNEL32(?,0001A895,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00019CAB
                                                                                                                          Strings
                                                                                                                          • Failed to set variable., xrefs: 00019D2B
                                                                                                                          • Failed to format variable string., xrefs: 00019C93
                                                                                                                          • search.cpp, xrefs: 00019CDB
                                                                                                                          • File search: %ls, did not find path: %ls, xrefs: 00019CFD
                                                                                                                          • Failed get to file attributes. '%ls', xrefs: 00019CE8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesErrorFileLastOpen@16
                                                                                                                          • String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
                                                                                                                          • API String ID: 1811509786-2053429945
                                                                                                                          • Opcode ID: 016f43a8c49ca49223cce04dae3bf67e27fbafd4b36faeb2e3a7a260dca98ef4
                                                                                                                          • Instruction ID: 82480f1c2c634da8b62362d97ea4e5965e57d767577829872a950faa7cab0b2d
                                                                                                                          • Opcode Fuzzy Hash: 016f43a8c49ca49223cce04dae3bf67e27fbafd4b36faeb2e3a7a260dca98ef4
                                                                                                                          • Instruction Fuzzy Hash: 88215733940234BBEB211A949D47FEFB6A8EF14762F200221FE587A191D7316E9096D2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002AD40 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • TlsSetValue.KERNEL32(?,?), ref: 0002AD57
                                                                                                                          • GetLastError.KERNEL32 ref: 0002AD61
                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000), ref: 0002ADA0
                                                                                                                          • CoUninitialize.OLE32(?,0002C721,?,?), ref: 0002ADDD
                                                                                                                          Strings
                                                                                                                          • Failed to initialize COM., xrefs: 0002ADAC
                                                                                                                          • Failed to set elevated cache pipe into thread local storage for logging., xrefs: 0002AD8F
                                                                                                                          • elevation.cpp, xrefs: 0002AD85
                                                                                                                          • Failed to pump messages in child process., xrefs: 0002ADCB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorInitializeLastUninitializeValue
                                                                                                                          • String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
                                                                                                                          • API String ID: 876858697-113251691
                                                                                                                          • Opcode ID: 10e496899a9a5d1f726c95f21ac37da77294b2ce592bbe260dc0515ed7f7f0c0
                                                                                                                          • Instruction ID: 92d3124e522e25b1e4a39b3fa5053c3b75bb91920826677aead2bf3ca2bc1be3
                                                                                                                          • Opcode Fuzzy Hash: 10e496899a9a5d1f726c95f21ac37da77294b2ce592bbe260dc0515ed7f7f0c0
                                                                                                                          • Instruction Fuzzy Hash: 78110673A41A35BBD7211794EC059EFBE68EF06B62B110256FD01BB550DF70AD00C6D1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00015CE2 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00015D68
                                                                                                                            • Part of subcall function 000510B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0005112B
                                                                                                                            • Part of subcall function 000510B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00051163
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue$Close
                                                                                                                          • String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                                                                                                          • API String ID: 1979452859-3209209246
                                                                                                                          • Opcode ID: 4648fc4baf8be81d8226a0f6da441a5dba5c2762248f39b6a1a6d515d43b2ccf
                                                                                                                          • Instruction ID: 26473e808e108db8596baf0aa6caeb55181edf5d5009a3ad902c03622679ad53
                                                                                                                          • Opcode Fuzzy Hash: 4648fc4baf8be81d8226a0f6da441a5dba5c2762248f39b6a1a6d515d43b2ccf
                                                                                                                          • Instruction Fuzzy Hash: 8401D232944628F7CB326664EC0AEDF7769CB80723F154157FD006E26197718E849791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003A271 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 0003A33E
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 0003A348
                                                                                                                          Strings
                                                                                                                          • apply.cpp, xrefs: 0003A36C
                                                                                                                          • Failed attempt to download URL: '%ls' to: '%ls', xrefs: 0003A425
                                                                                                                          • :, xrefs: 0003A3C1
                                                                                                                          • download, xrefs: 0003A308
                                                                                                                          • Failed to clear readonly bit on payload destination path: %ls, xrefs: 0003A377
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesErrorFileLast
                                                                                                                          • String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
                                                                                                                          • API String ID: 1799206407-1905830404
                                                                                                                          • Opcode ID: e5e74a59cee76a3e0d7e384f082b4a538b008ae6e3aba77826a5d0b1247ed0c4
                                                                                                                          • Instruction ID: eecf09c4d8f76b82e88a81066f6c0719c9d0df8fe6a121dbd00e9b759d83b733
                                                                                                                          • Opcode Fuzzy Hash: e5e74a59cee76a3e0d7e384f082b4a538b008ae6e3aba77826a5d0b1247ed0c4
                                                                                                                          • Instruction Fuzzy Hash: 8B519C76A00219ABDB12DFA8C845AEFB7F8FF05710F108159F944EB240E375EA40CB92
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000584C7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000410,?,?,00039063,000002C0,00000100), ref: 000584F5
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,00039063,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 00058510
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareHeapString$AllocateProcess
                                                                                                                          • String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
                                                                                                                          • API String ID: 2664528157-4206478990
                                                                                                                          • Opcode ID: ef3f050c997510367e28be5de6bef519b7ece0ec011e2f02269d76e1356062f0
                                                                                                                          • Instruction ID: a6567c09b26d4cf12775a7d6ec2c3eabb55983dc4102ce8a1100b0afa7589d06
                                                                                                                          • Opcode Fuzzy Hash: ef3f050c997510367e28be5de6bef519b7ece0ec011e2f02269d76e1356062f0
                                                                                                                          • Instruction Fuzzy Hash: 5651A131644701AFDB609E14CC81F5B7BE5AB00762F20C614FE69EB2D2EB71ED448B54
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000564B7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32 ref: 00056513
                                                                                                                          • DeleteFileW.KERNEL32(00000410,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 0005660A
                                                                                                                          • CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 00056619
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseDeleteErrorFileHandleLast
                                                                                                                          • String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
                                                                                                                          • API String ID: 3522763407-1704223933
                                                                                                                          • Opcode ID: 8076d6af5bbdf60f32f100e794a540df2c6ba61c108d97358a20d04d5fe10a87
                                                                                                                          • Instruction ID: 5e49714618883fb4c96b161800314e78c2caff26f5a255396532a606e7bd7f88
                                                                                                                          • Opcode Fuzzy Hash: 8076d6af5bbdf60f32f100e794a540df2c6ba61c108d97358a20d04d5fe10a87
                                                                                                                          • Instruction Fuzzy Hash: C7514772D00619BBDF52DFA48C45AEFBBB9EB08711F004165FA14E7150EB369A14DBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00019EC7 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 147COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 00019EED
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 00019F12
                                                                                                                          Strings
                                                                                                                          • Failed to set variable., xrefs: 00019FF6
                                                                                                                          • Failed to format product code string., xrefs: 00019F1D
                                                                                                                          • MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 0001A006
                                                                                                                          • Failed to get component path: %d, xrefs: 00019F76
                                                                                                                          • Failed to format component id string., xrefs: 00019EF8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Open@16
                                                                                                                          • String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
                                                                                                                          • API String ID: 3613110473-1671347822
                                                                                                                          • Opcode ID: 761891dc626e0c2fec2ebf855ce037c62006258119284c0ff95b6f5abd59176e
                                                                                                                          • Instruction ID: e782dbb4ddff45e2d20c6cf9f4288593ebca0138472a49eb0ff3ff300a69bb78
                                                                                                                          • Opcode Fuzzy Hash: 761891dc626e0c2fec2ebf855ce037c62006258119284c0ff95b6f5abd59176e
                                                                                                                          • Instruction Fuzzy Hash: 7A411432900115BACF759AA88C56FFFB7A8EF04311F24463AF914E6192D7319EC1D792
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00050523 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(0007B5FC,00000000,?,?,?,00024207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000154FA,?), ref: 00050533
                                                                                                                          • CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,0007B5F4,?,00024207,00000000,Setup), ref: 000505D7
                                                                                                                          • GetLastError.KERNEL32(?,00024207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000154FA,?,?,?), ref: 000505E7
                                                                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00024207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000154FA,?), ref: 00050621
                                                                                                                            • Part of subcall function 00012DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00012F09
                                                                                                                          • LeaveCriticalSection.KERNEL32(0007B5FC,?,?,0007B5F4,?,00024207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,000154FA,?), ref: 0005067A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
                                                                                                                          • String ID: P o$logutil.cpp
                                                                                                                          • API String ID: 4111229724-508742946
                                                                                                                          • Opcode ID: 7bcb19584d49fceab642105374c7ce74cb3663e72d15085b21b1e39d252ecf4f
                                                                                                                          • Instruction ID: 114075c8a31c62717e67b235601438a67239338f39265346872578d40f657c8c
                                                                                                                          • Opcode Fuzzy Hash: 7bcb19584d49fceab642105374c7ce74cb3663e72d15085b21b1e39d252ecf4f
                                                                                                                          • Instruction Fuzzy Hash: 8D31E431D0062AFFEB219F609D46FAF76A8EB00756F414124FE04AB161D739CDA4DBA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001F812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0001F942
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0001F94F
                                                                                                                          Strings
                                                                                                                          • %ls.RebootRequired, xrefs: 0001F82F
                                                                                                                          • Failed to open registration key., xrefs: 0001F8AB
                                                                                                                          • Resume, xrefs: 0001F8B6
                                                                                                                          • Failed to format pending restart registry key to read., xrefs: 0001F846
                                                                                                                          • Failed to read Resume value., xrefs: 0001F8D8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close
                                                                                                                          • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
                                                                                                                          • API String ID: 3535843008-3890505273
                                                                                                                          • Opcode ID: 46c62ad0cece2122c799c758e1b9dddee2b2d1be44762c335a2141fb127ba122
                                                                                                                          • Instruction ID: 2a3642e5b1fd0e289d7192826d35bfaa27317057e3c9854081945632c9b7f5fa
                                                                                                                          • Opcode Fuzzy Hash: 46c62ad0cece2122c799c758e1b9dddee2b2d1be44762c335a2141fb127ba122
                                                                                                                          • Instruction Fuzzy Hash: C0416D7590025AFFCB21AFA8C881BFDBBB4FB04310F154176E910AB261C372AE81DB40
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002AA00 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
                                                                                                                          • API String ID: 0-660234312
                                                                                                                          • Opcode ID: 01ce158d29f475369d374279f71b98c7590dde9024377f0e4bb26650cfd49cf3
                                                                                                                          • Instruction ID: f0fa338a1adf398138da740769d1f87c8ab8c1c0969c066426abfbcb32595e40
                                                                                                                          • Opcode Fuzzy Hash: 01ce158d29f475369d374279f71b98c7590dde9024377f0e4bb26650cfd49cf3
                                                                                                                          • Instruction Fuzzy Hash: 2B31A532A00229BFCB229A94DD55EDEBBBADF05720F114251F911F7191DF729E40C692
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003D8B0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoCreateInstance.OLE32(00070C4C,00000000,00000017,00070C5C,?,?,00000000,00000000,?,?,?,?,?,0003DEE7,00000000,00000000), ref: 0003D8E8
                                                                                                                          Strings
                                                                                                                          • WixBurn, xrefs: 0003D913
                                                                                                                          • Failed to set BITS job to foreground., xrefs: 0003D969
                                                                                                                          • Failed to create BITS job., xrefs: 0003D922
                                                                                                                          • Failed to set progress timeout., xrefs: 0003D952
                                                                                                                          • Failed to set notification flags for BITS job., xrefs: 0003D93A
                                                                                                                          • Failed to create IBackgroundCopyManager., xrefs: 0003D8F4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateInstance
                                                                                                                          • String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
                                                                                                                          • API String ID: 542301482-468763447
                                                                                                                          • Opcode ID: cc233ae1562b1936bc583528d4c052f1360e092d10dee254040b0d3de2f6365f
                                                                                                                          • Instruction ID: f65e981392b5c064e14946141243de0a4818e60b0746f64ce23ff0d249e548f8
                                                                                                                          • Opcode Fuzzy Hash: cc233ae1562b1936bc583528d4c052f1360e092d10dee254040b0d3de2f6365f
                                                                                                                          • Instruction Fuzzy Hash: BD318471F40315EFD716DBA9D845EAFBBB8AF48710F10425AEA05EB350CA35AC058791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00055DAE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 00055DF8
                                                                                                                          • GetLastError.KERNEL32 ref: 00055E05
                                                                                                                          • ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 00055E4C
                                                                                                                          • GetLastError.KERNEL32 ref: 00055E80
                                                                                                                          • CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 00055EB4
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLast$CloseCreateHandleRead
                                                                                                                          • String ID: %ls.R$dlutil.cpp
                                                                                                                          • API String ID: 3160720760-657863730
                                                                                                                          • Opcode ID: e9b6f45a63dd67dadb057d4e9498df998fdb6836a8ceee1eeb34033e07c5b60e
                                                                                                                          • Instruction ID: 909e7595b7d528e47a50d87d7b197629ed9d3a38f91324591f45bdf7792796f0
                                                                                                                          • Opcode Fuzzy Hash: e9b6f45a63dd67dadb057d4e9498df998fdb6836a8ceee1eeb34033e07c5b60e
                                                                                                                          • Instruction Fuzzy Hash: 3031E472D41A24BBE7348B54CC56BAF7AA8AB05733F114215FE05AB2C0D775AE048AE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001C8E6 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001CD5E: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,0001E444,000000FF,00000000,00000000,0001E444,?,?,0001DBEB,?,?,?,?), ref: 0001CD89
                                                                                                                          • CreateFileW.KERNEL32(E90005BA,80000000,00000005,00000000,00000003,08000000,00000000,000153C5,?,00000000,840F01E8,14680A79,00000001,000153BD,00000000,00015489), ref: 0001C956
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00027809,0001566D,00015479,00015479,00000000,?,00015489,FFF9E89D,00015489,000154BD,00015445,?,00015445), ref: 0001C99B
                                                                                                                          Strings
                                                                                                                          • Failed to find payload for catalog file., xrefs: 0001C9E0
                                                                                                                          • Failed to get catalog local file path, xrefs: 0001C9D9
                                                                                                                          • Failed to verify catalog signature: %ls, xrefs: 0001C994
                                                                                                                          • catalog.cpp, xrefs: 0001C9BC
                                                                                                                          • Failed to open catalog in working path: %ls, xrefs: 0001C9C9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareCreateErrorFileLastString
                                                                                                                          • String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
                                                                                                                          • API String ID: 1774366664-48089280
                                                                                                                          • Opcode ID: 7cc5bfd506f5f9a8138ba3042b5c5f536dd60220bbd3c9368886197e48e8a587
                                                                                                                          • Instruction ID: c2682c108069227333d7083425f0a862b7ce7601b37a88219aa6101720cfd8bb
                                                                                                                          • Opcode Fuzzy Hash: 7cc5bfd506f5f9a8138ba3042b5c5f536dd60220bbd3c9368886197e48e8a587
                                                                                                                          • Instruction Fuzzy Hash: A131D572980626BBE7219B54CC0AFEEBBA4EF04720F114165FE04EB241E771ED909BD0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003D33E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,?,0003D642,?), ref: 0003D357
                                                                                                                          • ReleaseMutex.KERNEL32(?,?,?,?,0003D642,?), ref: 0003D375
                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0003D3B6
                                                                                                                          • ReleaseMutex.KERNEL32(?), ref: 0003D3CD
                                                                                                                          • SetEvent.KERNEL32(?), ref: 0003D3D6
                                                                                                                          Strings
                                                                                                                          • Failed to get message from netfx chainer., xrefs: 0003D3F7
                                                                                                                          • Failed to send files in use message from netfx chainer., xrefs: 0003D41C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MutexObjectReleaseSingleWait$Event
                                                                                                                          • String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
                                                                                                                          • API String ID: 2608678126-3424578679
                                                                                                                          • Opcode ID: 8851216c237eaae6533f5a3a14b42f96147629e5623ba2b1fb51505f5bf7692b
                                                                                                                          • Instruction ID: 54c764b81b1e16ba75f612b56948a8d9d70ecaf5e4a5f308cb9c6577a297d600
                                                                                                                          • Opcode Fuzzy Hash: 8851216c237eaae6533f5a3a14b42f96147629e5623ba2b1fb51505f5bf7692b
                                                                                                                          • Instruction Fuzzy Hash: 8931E731900709BFCB129F94DC08EEFBBF9EF44321F108666F965A6261C775EA548B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0005093B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 000509AB
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 000509B5
                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 000509FE
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00050A0B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseHandle$CreateErrorLastProcess
                                                                                                                          • String ID: "%ls" %ls$D$procutil.cpp
                                                                                                                          • API String ID: 161867955-2732225242
                                                                                                                          • Opcode ID: 1970489c275539d58fa0d8bec0c16b60f47f0656fcb2fbfa28ac80d95bfa7e00
                                                                                                                          • Instruction ID: 587dc52dda3294c39b5b19510396c25b4afe10b97aa399713204faa67f8f4bfb
                                                                                                                          • Opcode Fuzzy Hash: 1970489c275539d58fa0d8bec0c16b60f47f0656fcb2fbfa28ac80d95bfa7e00
                                                                                                                          • Instruction Fuzzy Hash: 41216D72D0061EABDB11DFE4CD41AEFBBB8EF00312F100425EE00B7251E7719E048AA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00019B9A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 00019BB3
                                                                                                                          • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,0001A8AB,00000100,000002C0,000002C0,00000100), ref: 00019BD3
                                                                                                                          • GetLastError.KERNEL32(?,0001A8AB,00000100,000002C0,000002C0,00000100), ref: 00019BDE
                                                                                                                          Strings
                                                                                                                          • Failed to format variable string., xrefs: 00019BBE
                                                                                                                          • Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00019C4A
                                                                                                                          • Failed while searching directory search: %ls, for path: %ls, xrefs: 00019C34
                                                                                                                          • Failed to set directory search path variable., xrefs: 00019C0F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesErrorFileLastOpen@16
                                                                                                                          • String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
                                                                                                                          • API String ID: 1811509786-2966038646
                                                                                                                          • Opcode ID: 2e4b99056c5562f9e46a0386a29c393eff7647afae4730a48402022523bc1860
                                                                                                                          • Instruction ID: 664d4dc0794db4c96a1f5d0a33004fed540c700ae729e87b9262079f8c37bdb4
                                                                                                                          • Opcode Fuzzy Hash: 2e4b99056c5562f9e46a0386a29c393eff7647afae4730a48402022523bc1860
                                                                                                                          • Instruction Fuzzy Hash: 33210833944125F7DB222694CE26BDEBBA89F00761F210211FE507B192D7766E90ABC9
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00019D4B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 00019D64
                                                                                                                          • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,0001A883,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00019D84
                                                                                                                          • GetLastError.KERNEL32(?,0001A883,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00019D8F
                                                                                                                          Strings
                                                                                                                          • Failed to set variable to file search path., xrefs: 00019DE7
                                                                                                                          • Failed to format variable string., xrefs: 00019D6F
                                                                                                                          • File search: %ls, did not find path: %ls, xrefs: 00019DF3
                                                                                                                          • Failed while searching file search: %ls, for path: %ls, xrefs: 00019DBD
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesErrorFileLastOpen@16
                                                                                                                          • String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
                                                                                                                          • API String ID: 1811509786-3425311760
                                                                                                                          • Opcode ID: 5a28253b27b7f87fa0bdd9bb69104385756ce7668d247b1fcf9e11ac634ecd4b
                                                                                                                          • Instruction ID: fbba59001df7d41340bbf225af4e8f6d7eafe97501a34b2be03f732604f7bf68
                                                                                                                          • Opcode Fuzzy Hash: 5a28253b27b7f87fa0bdd9bb69104385756ce7668d247b1fcf9e11ac634ecd4b
                                                                                                                          • Instruction Fuzzy Hash: 10110633D40525F7DF226694DD12BEEBB65AF10B21F200241FD14BA1A2E7726EA0A6D1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002CF25 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55synchronizationthreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,0002D365,00000000,?,?,0002C7C9,00000001,?,?,?,?,?), ref: 0002CF37
                                                                                                                          • GetLastError.KERNEL32(?,?,0002D365,00000000,?,?,0002C7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0002CF41
                                                                                                                          • GetExitCodeThread.KERNEL32(00000001,?,?,?,0002D365,00000000,?,?,0002C7C9,00000001,?,?,?,?,?,00000000), ref: 0002CF7D
                                                                                                                          • GetLastError.KERNEL32(?,?,0002D365,00000000,?,?,0002C7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0002CF87
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                                                                                                                          • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
                                                                                                                          • API String ID: 3686190907-1954264426
                                                                                                                          • Opcode ID: 1029edbf32cbfe846a04dc5e009c864968b9b547d03231745ea122aac5ec154b
                                                                                                                          • Instruction ID: 11de3e4a6c05ca1f4e45e55972d6737542cdfb1ae207edd6ea1e35eb5450db85
                                                                                                                          • Opcode Fuzzy Hash: 1029edbf32cbfe846a04dc5e009c864968b9b547d03231745ea122aac5ec154b
                                                                                                                          • Instruction Fuzzy Hash: E8014933A8173573F77057856E05E9FBA899F04BA2F020131BE04BE180EB559D0081E4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000269AE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,00026EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 000269BB
                                                                                                                          • GetLastError.KERNEL32(?,00026EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 000269C5
                                                                                                                          • GetExitCodeThread.KERNEL32(00000001,00000000,?,00026EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 00026A04
                                                                                                                          • GetLastError.KERNEL32(?,00026EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 00026A0E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                                                                                                                          • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
                                                                                                                          • API String ID: 3686190907-2546940223
                                                                                                                          • Opcode ID: c58eef289ad7beb126b12e192620c950df0abbb0fa21dfdaac7a7b1a170942bd
                                                                                                                          • Instruction ID: f5079745691c1896061c08c8d8e547b74f742cdc8cc165cb18491e0c24c8c822
                                                                                                                          • Opcode Fuzzy Hash: c58eef289ad7beb126b12e192620c950df0abbb0fa21dfdaac7a7b1a170942bd
                                                                                                                          • Instruction Fuzzy Hash: DA116170740316BBEB109FA5AE12BBF7AE9EB00711F204165B904E91A1EF37DE409B65
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002F7D9 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0002F7EE
                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0002F8FB
                                                                                                                          Strings
                                                                                                                          • Engine is active, cannot change engine state., xrefs: 0002F808
                                                                                                                          • Failed to set source path for payload., xrefs: 0002F88A
                                                                                                                          • UX requested unknown container with id: %ls, xrefs: 0002F8BA
                                                                                                                          • Failed to set source path for container., xrefs: 0002F8E0
                                                                                                                          • UX requested unknown payload with id: %ls, xrefs: 0002F85A
                                                                                                                          • UX denied while trying to set source on embedded payload: %ls, xrefs: 0002F870
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                          • String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                                                                                                                          • API String ID: 3168844106-4121889706
                                                                                                                          • Opcode ID: 5485ce2e6597581258b2eff1bbcaf7f61828e953cc5f062e132b899bd9ce44e7
                                                                                                                          • Instruction ID: 04da4bd1ea0a4419f5966534be086480e76c0dc793ff40127fe65ec52220a315
                                                                                                                          • Opcode Fuzzy Hash: 5485ce2e6597581258b2eff1bbcaf7f61828e953cc5f062e132b899bd9ce44e7
                                                                                                                          • Instruction Fuzzy Hash: 8331C132A40626AB9B21AB58EC45DBFB7F8AF14760B158136F804EB241DF75ED408791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000171FD Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(00000000), ref: 00017210
                                                                                                                          Strings
                                                                                                                          • Failed to allocate buffer for escaped string., xrefs: 00017227
                                                                                                                          • []{}, xrefs: 0001723A
                                                                                                                          • Failed to append escape sequence., xrefs: 000172A3
                                                                                                                          • Failed to copy string., xrefs: 000172C4
                                                                                                                          • Failed to append characters., xrefs: 0001729C
                                                                                                                          • [\%c], xrefs: 0001726F
                                                                                                                          • Failed to format escape sequence., xrefs: 000172AA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen
                                                                                                                          • String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
                                                                                                                          • API String ID: 1659193697-3250950999
                                                                                                                          • Opcode ID: d4f59fed11b00dc3d8371ec6dedf5ed0c17940195a586186594fe6dd2345704f
                                                                                                                          • Instruction ID: a80d5d924313842429bd7a0028f56c9572c0c87bb371dd4c956e689ecf8a2efe
                                                                                                                          • Opcode Fuzzy Hash: d4f59fed11b00dc3d8371ec6dedf5ed0c17940195a586186594fe6dd2345704f
                                                                                                                          • Instruction Fuzzy Hash: A121E432D09719BBEB229690DC42FEF77B99F14722F200025FE04BB141DB759E869394
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00035BDC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(00000000,00000000,0005B500,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,000367DE,?,00000001,?,0005B4A0), ref: 00035C45
                                                                                                                          Strings
                                                                                                                          • Failed to copy target product code., xrefs: 00035D78
                                                                                                                          • feclient.dll, xrefs: 00035C3B, 00035D65
                                                                                                                          • Failed to insert execute action., xrefs: 00035C9A
                                                                                                                          • Failed to plan action for target product., xrefs: 00035CF0
                                                                                                                          • Failed grow array of ordered patches., xrefs: 00035CDE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareString
                                                                                                                          • String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
                                                                                                                          • API String ID: 1825529933-3477540455
                                                                                                                          • Opcode ID: 6f404ac4c0e72a835761eea40e0db4d147b45edf3f7fa12512d9209d87db35b3
                                                                                                                          • Instruction ID: 3d069c3331503be8988ac5bd28f29a02587e39a62f5caa6ca3b4e3e43aa10a50
                                                                                                                          • Opcode Fuzzy Hash: 6f404ac4c0e72a835761eea40e0db4d147b45edf3f7fa12512d9209d87db35b3
                                                                                                                          • Instruction Fuzzy Hash: AE8134B560074A9FCB56CF58C880AAA77E9BF08325F118569ED158B362D730EC51CF90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004CAED Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0004D262,00000000,00000000,00000000,00000000,00000000,00042F1D), ref: 0004CB2F
                                                                                                                          • __fassign.LIBCMT ref: 0004CBAA
                                                                                                                          • __fassign.LIBCMT ref: 0004CBC5
                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0004CBEB
                                                                                                                          • WriteFile.KERNEL32(?,00000000,00000000,0004D262,00000000,?,?,?,?,?,?,?,?,?,0004D262,00000000), ref: 0004CC0A
                                                                                                                          • WriteFile.KERNEL32(?,00000000,00000001,0004D262,00000000,?,?,?,?,?,?,?,?,?,0004D262,00000000), ref: 0004CC43
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1324828854-0
                                                                                                                          • Opcode ID: 3abde1d316ef82fa8a6742ffe2e402e9954b23dd6b22e6b51fb16861be81ad47
                                                                                                                          • Instruction ID: 847a4d175808c8a6b38079651b5fbfce2bf41e210a42829c56d97e971bbb6dbf
                                                                                                                          • Opcode Fuzzy Hash: 3abde1d316ef82fa8a6742ffe2e402e9954b23dd6b22e6b51fb16861be81ad47
                                                                                                                          • Instruction Fuzzy Hash: FD51D5B1E002499FEB50CFA8DC85EEEBBF5EF09301F14412AE955E7251E730A940CBA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00039279 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 150COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,00027113,000000B8,0000001C,00000100), ref: 000392A4
                                                                                                                          • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,0005B4B8,000000FF,?,?,?,00027113,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 0003932E
                                                                                                                          Strings
                                                                                                                          • Failed to initialize update bundle., xrefs: 000393D1
                                                                                                                          • detect.cpp, xrefs: 0003938E
                                                                                                                          • comres.dll, xrefs: 000393B0
                                                                                                                          • BA aborted detect forward compatible bundle., xrefs: 00039398
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareString
                                                                                                                          • String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
                                                                                                                          • API String ID: 1825529933-439563586
                                                                                                                          • Opcode ID: eb8e91d26e8673840b4bc62924814c8bbbea58cde8d4dabdc39a7303ec8c5944
                                                                                                                          • Instruction ID: 81c70373fafbd97b97230dceb3800b106c90df42b665a107d6ef1530252f5a82
                                                                                                                          • Opcode Fuzzy Hash: eb8e91d26e8673840b4bc62924814c8bbbea58cde8d4dabdc39a7303ec8c5944
                                                                                                                          • Instruction Fuzzy Hash: 2C51B0B1600611FFDF569F64CC81EAAB7AAFF05310F504269F9249B1A1C7B1ED60DB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002AB9E Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 140COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(00015479,000000FF,00AAC56B,E90005BA,000153BD,00000000,?,E90005BA,00000000), ref: 0002AC94
                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00015479,000000FF,00AAC56B,E90005BA,000153BD,00000000,?,E90005BA,00000000), ref: 0002ACD8
                                                                                                                          Strings
                                                                                                                          • Failed to get signer chain from authenticode certificate., xrefs: 0002AD06
                                                                                                                          • Failed to verify expected payload against actual certificate chain., xrefs: 0002AD1E
                                                                                                                          • Failed authenticode verification of payload: %ls, xrefs: 0002AC75
                                                                                                                          • cache.cpp, xrefs: 0002AC6A, 0002ACB8, 0002ACFC
                                                                                                                          • Failed to get provider state from authenticode certificate., xrefs: 0002ACC2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast
                                                                                                                          • String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp
                                                                                                                          • API String ID: 1452528299-2590768268
                                                                                                                          • Opcode ID: a9b7ce048ee3a7a0f62c476635d217d97a696a355efb1aa93118fcf2b3de3fcc
                                                                                                                          • Instruction ID: 7ee983d942e080b7bc2ed543e390e9e17a7b416a980a925036b39b244faf4f78
                                                                                                                          • Opcode Fuzzy Hash: a9b7ce048ee3a7a0f62c476635d217d97a696a355efb1aa93118fcf2b3de3fcc
                                                                                                                          • Instruction Fuzzy Hash: 4741B672E01639ABDB119B94DC45BEFBBB8EF05720F110129FD01BB281DB759D048AE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000502F8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 0005033C
                                                                                                                          • GetComputerNameW.KERNEL32(?,?), ref: 00050394
                                                                                                                          Strings
                                                                                                                          • --- logging level: %hs ---, xrefs: 00050454
                                                                                                                          • Executable: %ls v%d.%d.%d.%d, xrefs: 000503F0
                                                                                                                          • Computer : %ls, xrefs: 00050402
                                                                                                                          • === Logging started: %ls ===, xrefs: 000503BF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Name$ComputerFileModule
                                                                                                                          • String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
                                                                                                                          • API String ID: 2577110986-3153207428
                                                                                                                          • Opcode ID: 5f12f1a8774bbf7fc8d2597446ac4f22fae87564212baebf1899e83247a36734
                                                                                                                          • Instruction ID: 91274e780820f7273daec490200cbd388e8b0e8bfc51d835a0b908486d624025
                                                                                                                          • Opcode Fuzzy Hash: 5f12f1a8774bbf7fc8d2597446ac4f22fae87564212baebf1899e83247a36734
                                                                                                                          • Instruction Fuzzy Hash: 014156F1E041189BDB249F64DD45AEF77BCEB45301F4081A5FE09A3142D7399E888F65
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002D437 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000001,0005B500,?,00000001,000000FF,?,?,75C0B390,00000000,00000001,00000000,?,000274E6), ref: 0002D560
                                                                                                                          Strings
                                                                                                                          • Failed to connect to elevated child process., xrefs: 0002D549
                                                                                                                          • UX aborted elevation requirement., xrefs: 0002D475
                                                                                                                          • Failed to elevate., xrefs: 0002D542
                                                                                                                          • elevation.cpp, xrefs: 0002D46B
                                                                                                                          • Failed to create pipe and cache pipe., xrefs: 0002D4BD
                                                                                                                          • Failed to create pipe name and client token., xrefs: 0002D4A1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseHandle
                                                                                                                          • String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
                                                                                                                          • API String ID: 2962429428-3003415917
                                                                                                                          • Opcode ID: 5ab8afd8bdf9c90d01fa1e63125c80a67dc65405a8f2b6fe6741233b627be8c2
                                                                                                                          • Instruction ID: 2ca8637894abb4a036ed116eb0d1e3a6fbab7d194fa9f3fd3cd64b6b3151fb20
                                                                                                                          • Opcode Fuzzy Hash: 5ab8afd8bdf9c90d01fa1e63125c80a67dc65405a8f2b6fe6741233b627be8c2
                                                                                                                          • Instruction Fuzzy Hash: 88313772644A35BBE725A664EC42FFFB35DAF00725F104207FA04AA1C2DBA1AD4082D5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002D24B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 118threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,0002AD40,?,00000000,00000000), ref: 0002D2E9
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0002D2F5
                                                                                                                            • Part of subcall function 0002CF25: WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,0002D365,00000000,?,?,0002C7C9,00000001,?,?,?,?,?), ref: 0002CF37
                                                                                                                            • Part of subcall function 0002CF25: GetLastError.KERNEL32(?,?,0002D365,00000000,?,?,0002C7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0002CF41
                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,?,0002C7C9,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 0002D376
                                                                                                                          Strings
                                                                                                                          • Failed to create elevated cache thread., xrefs: 0002D323
                                                                                                                          • elevation.cpp, xrefs: 0002D319
                                                                                                                          • Failed to pump messages in child process., xrefs: 0002D34D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
                                                                                                                          • String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$elevation.cpp
                                                                                                                          • API String ID: 3606931770-4134175193
                                                                                                                          • Opcode ID: 7315835c0310decd9e3e602544e95d58bdba66acae0b53123b77c5bf2ac9a9a3
                                                                                                                          • Instruction ID: 452cd1d0588e79763e9f3b432e4e9ccebe7ea62046854f370f4a131f1d169724
                                                                                                                          • Opcode Fuzzy Hash: 7315835c0310decd9e3e602544e95d58bdba66acae0b53123b77c5bf2ac9a9a3
                                                                                                                          • Instruction Fuzzy Hash: E741E7B6D01229AFDB15DF99D8859DEBBF8FF08710F10416AF918A7340D774AD008B95
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0005159E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 117stringregistryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(?,?,00000000,00000000,BundleUpgradeCode), ref: 000515DA
                                                                                                                          • lstrlenW.KERNEL32(?,00000002,00000001,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 0005163C
                                                                                                                          • lstrlenW.KERNEL32(?), ref: 00051648
                                                                                                                          • RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,00000001,?,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 0005168B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen$Value
                                                                                                                          • String ID: BundleUpgradeCode$regutil.cpp
                                                                                                                          • API String ID: 198323757-1648651458
                                                                                                                          • Opcode ID: fd69dc2b71df43a8f37f31467478388d3d886c5c9128053a1d1c002075defedd
                                                                                                                          • Instruction ID: dc160f31fd866164557cd5e60ff32a0181174ce8ca6e8bb4d6f9a3e0c6fd49bb
                                                                                                                          • Opcode Fuzzy Hash: fd69dc2b71df43a8f37f31467478388d3d886c5c9128053a1d1c002075defedd
                                                                                                                          • Instruction Fuzzy Hash: 33419C76D0062AAFCB219F988C85AEFBBB8BF44751F050165FD01AB210D734ED158BE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003398D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 000339F4
                                                                                                                          Strings
                                                                                                                          • Failed to escape string., xrefs: 00033A76
                                                                                                                          • Failed to format property value., xrefs: 00033A7D
                                                                                                                          • Failed to format property string part., xrefs: 00033A6F
                                                                                                                          • Failed to append property string part., xrefs: 00033A68
                                                                                                                          • %s%="%s", xrefs: 00033A27
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Open@16
                                                                                                                          • String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
                                                                                                                          • API String ID: 3613110473-515423128
                                                                                                                          • Opcode ID: cdda7071f67a09eb730b01c20233aab2fc6d39f7c70ee44c4f912443d0c33fcf
                                                                                                                          • Instruction ID: 7e0c1d9823d2132ef75353c7cdd5fbf69134a8e9728efc4b703af3669bf69450
                                                                                                                          • Opcode Fuzzy Hash: cdda7071f67a09eb730b01c20233aab2fc6d39f7c70ee44c4f912443d0c33fcf
                                                                                                                          • Instruction Fuzzy Hash: 4831C132904219FFDB16DE98CC82EEEBBBCAF00704F10426AF95166251D7719F50DB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000541E5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,0005432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0002A063,00000001), ref: 00054203
                                                                                                                          • GetLastError.KERNEL32(00000002,?,0005432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0002A063,00000001,000007D0,00000001,00000001,00000003), ref: 00054212
                                                                                                                          • MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,0005432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0002A063,00000001), ref: 000542A6
                                                                                                                          • GetLastError.KERNEL32(?,0005432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0002A063,00000001,000007D0,00000001), ref: 000542B0
                                                                                                                            • Part of subcall function 00054440: FindFirstFileW.KERNEL32(0003923A,?,00000100,00000000,00000000), ref: 0005447B
                                                                                                                            • Part of subcall function 00054440: FindClose.KERNEL32(00000000), ref: 00054487
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$ErrorFindLastMove$CloseFirst
                                                                                                                          • String ID: \$fileutil.cpp
                                                                                                                          • API String ID: 3479031965-1689471480
                                                                                                                          • Opcode ID: 528cad10d04321d04a6547fe024577a73438b8855b735640f4abc2feee67d5c5
                                                                                                                          • Instruction ID: 087014033c908b95038e97540461b998f84e231ddd3fbe27f9b7cf08bdda3cd1
                                                                                                                          • Opcode Fuzzy Hash: 528cad10d04321d04a6547fe024577a73438b8855b735640f4abc2feee67d5c5
                                                                                                                          • Instruction Fuzzy Hash: 0231FF36A00236ABDF614E99CC01AFF76A9FF5176AF914029FC049B210D7748CC996D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001732C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,00015932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 0001733E
                                                                                                                          • LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,00015932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 0001741D
                                                                                                                          Strings
                                                                                                                          • *****, xrefs: 000173D9, 000173E6
                                                                                                                          • Failed to format value '%ls' of variable: %ls, xrefs: 000173E7
                                                                                                                          • Failed to get unformatted string., xrefs: 000173AE
                                                                                                                          • Failed to get value as string for variable: %ls, xrefs: 0001740C
                                                                                                                          • Failed to get variable: %ls, xrefs: 0001737F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                          • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
                                                                                                                          • API String ID: 3168844106-2873099529
                                                                                                                          • Opcode ID: 8038d9223dd98208b69510c80b2732b9843e688abfae7715d600b1fb6dc1ec9e
                                                                                                                          • Instruction ID: f0c4c6a8f14fbf76ab6ba41c96f4e5919f4caf7bcdc532ee831bb62957f7dbf8
                                                                                                                          • Opcode Fuzzy Hash: 8038d9223dd98208b69510c80b2732b9843e688abfae7715d600b1fb6dc1ec9e
                                                                                                                          • Instruction Fuzzy Hash: E131AF3290461AFBDF225E40CC06BDE7AB4EF14322F004125FD18AA151D776ABD49BD5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00028DEC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 00028E37
                                                                                                                          • GetLastError.KERNEL32 ref: 00028E41
                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 00028EA1
                                                                                                                          Strings
                                                                                                                          • Failed to initialize ACL., xrefs: 00028E6F
                                                                                                                          • Failed to allocate administrator SID., xrefs: 00028E1D
                                                                                                                          • cache.cpp, xrefs: 00028E65
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesErrorFileInitializeLast
                                                                                                                          • String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
                                                                                                                          • API String ID: 669721577-1117388985
                                                                                                                          • Opcode ID: 659372f376489846f0c74bc9e2bde610fc2559f4f4e95db84eaca28b10b9ada8
                                                                                                                          • Instruction ID: 6b8f8f9e0b9de691456151fdbe56a386fa0eebb78e0bcf453a44e58b36a22953
                                                                                                                          • Opcode Fuzzy Hash: 659372f376489846f0c74bc9e2bde610fc2559f4f4e95db84eaca28b10b9ada8
                                                                                                                          • Instruction Fuzzy Hash: 9F21D836A41224B7DF309A95AC45FDFB7A9AB00B21F528065FE04FB281DA749D008790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00014212 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,00024028,00000001,feclient.dll,?,00000000,?,?,?,00014B12), ref: 0001424D
                                                                                                                          • GetLastError.KERNEL32(?,?,00024028,00000001,feclient.dll,?,00000000,?,?,?,00014B12,?,?,0005B488,?,00000001), ref: 00014259
                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,00024028,00000001,feclient.dll,?,00000000,?,?,?,00014B12,?), ref: 00014294
                                                                                                                          • GetLastError.KERNEL32(?,?,00024028,00000001,feclient.dll,?,00000000,?,?,?,00014B12,?,?,0005B488,?,00000001), ref: 0001429E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentDirectoryErrorLast
                                                                                                                          • String ID: crypt32.dll$dirutil.cpp
                                                                                                                          • API String ID: 152501406-1104880720
                                                                                                                          • Opcode ID: a260bcbd883f208ec5a6b15c6e58c23eb8c73c576f7072d0907b0c47a633d160
                                                                                                                          • Instruction ID: ef3fdf373c60e78d7e1c1d4f751520207b460868d9c4a8e601b0fc6970d6457c
                                                                                                                          • Opcode Fuzzy Hash: a260bcbd883f208ec5a6b15c6e58c23eb8c73c576f7072d0907b0c47a633d160
                                                                                                                          • Instruction Fuzzy Hash: B311B477E01737AB97219AD58C84AEFBAD8EF157617550125FE00EB260EB31DCC086E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00030B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          • Unexpected call to CabWrite()., xrefs: 00030BC1
                                                                                                                          • cabextract.cpp, xrefs: 00030C2B
                                                                                                                          • Failed to write during cabinet extraction., xrefs: 00030C35
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastWrite_memcpy_s
                                                                                                                          • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
                                                                                                                          • API String ID: 1970631241-3111339858
                                                                                                                          • Opcode ID: 573d2efe2ba0a0fc0b425018cb9dc12ac710eb979aa18b22c94937030aef777e
                                                                                                                          • Instruction ID: 87232f29a21bc1a405f4277a4b33e3dcf1560dfb7965a9b9ae92a144bb0c96e0
                                                                                                                          • Opcode Fuzzy Hash: 573d2efe2ba0a0fc0b425018cb9dc12ac710eb979aa18b22c94937030aef777e
                                                                                                                          • Instruction Fuzzy Hash: 2C21CF76610205ABCB16DF5DD995D9A77ADEF85320F214159FE04DB242E732E900CB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00019AE0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 00019AFB
                                                                                                                          • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,00000000,?,0001A8B4,00000100,000002C0,000002C0,00000100), ref: 00019B10
                                                                                                                          • GetLastError.KERNEL32(?,0001A8B4,00000100,000002C0,000002C0,00000100), ref: 00019B1B
                                                                                                                          Strings
                                                                                                                          • Failed to set variable., xrefs: 00019B7A
                                                                                                                          • Failed to format variable string., xrefs: 00019B06
                                                                                                                          • Failed while searching directory search: %ls, for path: %ls, xrefs: 00019B54
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesErrorFileLastOpen@16
                                                                                                                          • String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
                                                                                                                          • API String ID: 1811509786-402580132
                                                                                                                          • Opcode ID: 830198ce426b69b1f1a60162f1eb16afb68acd737970758d7ba173d369f9950b
                                                                                                                          • Instruction ID: 5a95d26cfd7510b9d3b1ed64f886b268e20818c441447c532959b08068e348ea
                                                                                                                          • Opcode Fuzzy Hash: 830198ce426b69b1f1a60162f1eb16afb68acd737970758d7ba173d369f9950b
                                                                                                                          • Instruction Fuzzy Hash: 57112932944535BBDB221A98AED2FEFB668DF10361F200311FD1067191C7356D90A2D4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00030C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00030CC4
                                                                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00030CD6
                                                                                                                          • SetFileTime.KERNEL32(?,?,?,?), ref: 00030CE9
                                                                                                                          • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,000308B1,?,?), ref: 00030CF8
                                                                                                                          Strings
                                                                                                                          • cabextract.cpp, xrefs: 00030C93
                                                                                                                          • Invalid operation for this state., xrefs: 00030C9D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Time$File$CloseDateHandleLocal
                                                                                                                          • String ID: Invalid operation for this state.$cabextract.cpp
                                                                                                                          • API String ID: 609741386-1751360545
                                                                                                                          • Opcode ID: cab830b895ec9a3f91c88887bd803182d57c2864351784942c6a50d02edd09c2
                                                                                                                          • Instruction ID: 64559829a1ebd3186aff8da92353a58bccec544e8f5652c124f9f3e0b2d4fa9c
                                                                                                                          • Opcode Fuzzy Hash: cab830b895ec9a3f91c88887bd803182d57c2864351784942c6a50d02edd09c2
                                                                                                                          • Instruction Fuzzy Hash: EB21A172811219ABCB609FA8C9099EA7BECFF04721F104216F854DA5D0D774E951CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00024A77 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,crypt32.dll,00000000,00000000,00000000,?,0002539D), ref: 00024AC3
                                                                                                                          Strings
                                                                                                                          • Failed to write message type to pipe., xrefs: 00024B05
                                                                                                                          • pipe.cpp, xrefs: 00024AFB
                                                                                                                          • Failed to allocate message to write., xrefs: 00024AA2
                                                                                                                          • crypt32.dll, xrefs: 00024A7D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileWrite
                                                                                                                          • String ID: Failed to allocate message to write.$Failed to write message type to pipe.$crypt32.dll$pipe.cpp
                                                                                                                          • API String ID: 3934441357-606776022
                                                                                                                          • Opcode ID: ab2a9d61215b2554e8fed70ffd3d5fa483cafe33c5685cd09f0fae4df2f39ace
                                                                                                                          • Instruction ID: 81503dd5b64691f49c8a327fe114b5a5eb206ffa7cdb51c344d227bb5d168214
                                                                                                                          • Opcode Fuzzy Hash: ab2a9d61215b2554e8fed70ffd3d5fa483cafe33c5685cd09f0fae4df2f39ace
                                                                                                                          • Instruction Fuzzy Hash: 2511AC32A40229BBDB22CF84ED09ADF7BA9EF40750F110065FD00BA240DB31AE50DAA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00024642 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • _memcpy_s.LIBCMT ref: 00024693
                                                                                                                          • _memcpy_s.LIBCMT ref: 000246A6
                                                                                                                          • _memcpy_s.LIBCMT ref: 000246C1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _memcpy_s$Heap$AllocateProcess
                                                                                                                          • String ID: Failed to allocate memory for message.$feclient.dll$pipe.cpp
                                                                                                                          • API String ID: 886498622-766083570
                                                                                                                          • Opcode ID: df72c3e757da337bababb0a4a469c5491fb43f3954e058abeb9f19c8281a656a
                                                                                                                          • Instruction ID: 4f28e2f823fcf91ef892b1bcbc79353cf0e75dff80183524251efc41f39876e0
                                                                                                                          • Opcode Fuzzy Hash: df72c3e757da337bababb0a4a469c5491fb43f3954e058abeb9f19c8281a656a
                                                                                                                          • Instruction Fuzzy Hash: 85119EB650431AABDB01AE94DC82DEB73ADEF05B10B004526FA109B142EB71D654C7E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00053C72 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ShellExecuteExW.SHELL32(?), ref: 00053CC0
                                                                                                                          • GetLastError.KERNEL32(?,?,00000000), ref: 00053CCA
                                                                                                                          • CloseHandle.KERNEL32(?,?,?,00000000), ref: 00053CFD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseErrorExecuteHandleLastShell
                                                                                                                          • String ID: <$PDu$shelutil.cpp
                                                                                                                          • API String ID: 3023784893-2418939910
                                                                                                                          • Opcode ID: d44f5800bfce5ecd3f77780565973777fa4a5157c24e714533910f30d9b41fae
                                                                                                                          • Instruction ID: 2bd315e92b9cc9ce0069105b96c12c169fe5c442d1decc6e45391a80ed32e202
                                                                                                                          • Opcode Fuzzy Hash: d44f5800bfce5ecd3f77780565973777fa4a5157c24e714533910f30d9b41fae
                                                                                                                          • Instruction Fuzzy Hash: 151106B5E01229ABDB51DFA9D845ACFBBF8AB08791F004125FD05F7340E7349A04CBA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00019A4D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00019AC4
                                                                                                                          Strings
                                                                                                                          • `<u, xrefs: 00019AC4
                                                                                                                          • Condition, xrefs: 00019A5F
                                                                                                                          • Failed to get Condition inner text., xrefs: 00019A94
                                                                                                                          • Failed to select condition node., xrefs: 00019A7B
                                                                                                                          • Failed to copy condition string from BSTR, xrefs: 00019AAE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeString
                                                                                                                          • String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$`<u
                                                                                                                          • API String ID: 3341692771-266405526
                                                                                                                          • Opcode ID: 9ca1b69f7921d6ded87b51d854820c470608747e8822311f6b5f897d94fc8118
                                                                                                                          • Instruction ID: 9550ee76bb932deda736c50df6b3ca9b8812bd0647709c2984d67a93f9a87b71
                                                                                                                          • Opcode Fuzzy Hash: 9ca1b69f7921d6ded87b51d854820c470608747e8822311f6b5f897d94fc8118
                                                                                                                          • Instruction Fuzzy Hash: 2711C431901228BBCB26DB90CD26FEEBBA8EF00712F504156FC01BA150D7B1AE88D6C1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000596CD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                          • API String ID: 0-1718035505
                                                                                                                          • Opcode ID: 7572a5061c719c9fba94b1c0721a41764f8fd69452daad554447fd94d1ecdfad
                                                                                                                          • Instruction ID: d28d9d3c87371c7d2f1af0acfd1fc8328c5169d0c0813a1e88cc01f9323ce98e
                                                                                                                          • Opcode Fuzzy Hash: 7572a5061c719c9fba94b1c0721a41764f8fd69452daad554447fd94d1ecdfad
                                                                                                                          • Instruction Fuzzy Hash: 0B01F471B96322DF5FB00E656CD4AB733C89B05793310547BEE2AE7140EB5DC88CA694
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00050ACC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00015EB2,00000000), ref: 00050AE0
                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00050AE7
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00015EB2,00000000), ref: 00050AFE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressErrorHandleLastModuleProc
                                                                                                                          • String ID: IsWow64Process$kernel32$procutil.cpp
                                                                                                                          • API String ID: 4275029093-1586155540
                                                                                                                          • Opcode ID: 873d5b4edf439764f45116bcdcec18f59ac3e4bd2534aaadd73fdd0bab667b55
                                                                                                                          • Instruction ID: e8dec72b0abb15932537d8cbd715449c79d93aa6e0d907b21b529c4e007b327d
                                                                                                                          • Opcode Fuzzy Hash: 873d5b4edf439764f45116bcdcec18f59ac3e4bd2534aaadd73fdd0bab667b55
                                                                                                                          • Instruction Fuzzy Hash: BCF0C876E0073AA7E7209B958C49DAFBBA8EF00752F014154BD05AB280EB74EE04D7D4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004A20B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00043479,00043479,?,?,?,0004A45C,00000001,00000001,ECE85006), ref: 0004A265
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0004A45C,00000001,00000001,ECE85006,?,?,?), ref: 0004A2EB
                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,ECE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0004A3E5
                                                                                                                          • __freea.LIBCMT ref: 0004A3F2
                                                                                                                            • Part of subcall function 0004521A: HeapAlloc.KERNEL32(00000000,?,?,?,00041F87,?,0000015D,?,?,?,?,000433E0,000000FF,00000000,?,?), ref: 0004524C
                                                                                                                          • __freea.LIBCMT ref: 0004A3FB
                                                                                                                          • __freea.LIBCMT ref: 0004A420
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ByteCharMultiWide__freea$AllocHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3147120248-0
                                                                                                                          • Opcode ID: b8513ca8a4e11bd15791141eba2d1a55d4e7a5e7527bd8d648ca8a06a5b98acd
                                                                                                                          • Instruction ID: 868a155eb6ae5743ee06e6a424998df610d07ef123a8b71218dd2527ee205ea7
                                                                                                                          • Opcode Fuzzy Hash: b8513ca8a4e11bd15791141eba2d1a55d4e7a5e7527bd8d648ca8a06a5b98acd
                                                                                                                          • Instruction Fuzzy Hash: 385131B2B50206AFEB258E64CC81EBF37E9EB46711F144638FC04D6041EB74ED809669
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00028CAC Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(000007D0,00000000,00000000), ref: 00028D18
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Sleep
                                                                                                                          • String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
                                                                                                                          • API String ID: 3472027048-398165853
                                                                                                                          • Opcode ID: 71019456125d2940b243f573d48ab13e4860d26947321176bc72a27bdddee351
                                                                                                                          • Instruction ID: fc25aee42d76ce338e5115b7a1c9defaa8e13c02f0ac29fac464690c061823b3
                                                                                                                          • Opcode Fuzzy Hash: 71019456125d2940b243f573d48ab13e4860d26947321176bc72a27bdddee351
                                                                                                                          • Instruction Fuzzy Hash: 62310636A41234BBEB22A654DC42FFFA36C9F20711F118025FD04F6282DE798D0497A1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002E956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DefWindowProcW.USER32(?,00000082,?,?), ref: 0002E985
                                                                                                                          • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0002E994
                                                                                                                          • SetWindowLongW.USER32(?,000000EB,?), ref: 0002E9A8
                                                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 0002E9B8
                                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 0002E9D2
                                                                                                                          • PostQuitMessage.USER32(00000000), ref: 0002EA31
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Long$Proc$MessagePostQuit
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3812958022-0
                                                                                                                          • Opcode ID: 8aa5bafff2d1cda389ddc67a3b9d4ceeb665927cd5f3ba581a763a025583a630
                                                                                                                          • Instruction ID: eb616e6043dc7bcb9d530f807da31f40e726fbb26a8ced1717b349cb27b4c28a
                                                                                                                          • Opcode Fuzzy Hash: 8aa5bafff2d1cda389ddc67a3b9d4ceeb665927cd5f3ba581a763a025583a630
                                                                                                                          • Instruction Fuzzy Hash: F421B331144264BFDF119F68EC49EAF3B66FF44311F144618FA06AA1A5C731EE50DBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002C7C9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 164synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          • Unexpected elevated message sent to child process, msg: %u, xrefs: 0002C9C4
                                                                                                                          • elevation.cpp, xrefs: 0002C9B8
                                                                                                                          • Failed to save state., xrefs: 0002C891
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseHandleMutexRelease
                                                                                                                          • String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
                                                                                                                          • API String ID: 4207627910-1576875097
                                                                                                                          • Opcode ID: f078ecca0902e43dff1ff17a40fe7bd2f835679a94e9cf7b8eccf0d0dffea377
                                                                                                                          • Instruction ID: b33da8cf3963b3c3d6a577e2de6efd67593cf1f0bf9193b661ff397162bf1fbb
                                                                                                                          • Opcode Fuzzy Hash: f078ecca0902e43dff1ff17a40fe7bd2f835679a94e9cf7b8eccf0d0dffea377
                                                                                                                          • Instruction Fuzzy Hash: 0861D63A100624EFDB225F84DD45C6ABBB2FF08314715C559FA995A632C732E861EF41
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00057B16 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00057C74
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00057C7F
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00057C8A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeString$Heap$AllocateProcess
                                                                                                                          • String ID: `<u$atomutil.cpp
                                                                                                                          • API String ID: 2724874077-4051019476
                                                                                                                          • Opcode ID: 8ec8d290cb972f754ead3ca68b82768f0bb4f51d5fbfe5896e2b8e80535e7fc4
                                                                                                                          • Instruction ID: 369360cb1a514889492374306e4a695a358eac00feb5657532af3fa856177fb6
                                                                                                                          • Opcode Fuzzy Hash: 8ec8d290cb972f754ead3ca68b82768f0bb4f51d5fbfe5896e2b8e80535e7fc4
                                                                                                                          • Instruction Fuzzy Hash: D551837190422AAFDB21DB64D844FAFBBB8AF04711F114198E909AF111D772ED44DB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00051217 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150registrystringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 0005123F
                                                                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,000270E8,00000100,000000B0,00000088,00000410,000002C0), ref: 00051276
                                                                                                                          • lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 0005136E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue$lstrlen
                                                                                                                          • String ID: BundleUpgradeCode$regutil.cpp
                                                                                                                          • API String ID: 3790715954-1648651458
                                                                                                                          • Opcode ID: 632704bd0e1361f204d2dcbb28ef08a124fd6e5b1669e8a1fd2b9fb8e1aedb86
                                                                                                                          • Instruction ID: 35bcd3369de498f873273181e5c8c6c58406dda2eb6d16f59a6f7c5ff256a8a5
                                                                                                                          • Opcode Fuzzy Hash: 632704bd0e1361f204d2dcbb28ef08a124fd6e5b1669e8a1fd2b9fb8e1aedb86
                                                                                                                          • Instruction Fuzzy Hash: AA41DF36A0121AFFDB219F95C894BEFB7A9EF44712F154169FD01EB600D6309E18CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00056357 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0005490D: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00028770,00000000,00000000,00000000,00000000,00000000), ref: 00054925
                                                                                                                            • Part of subcall function 0005490D: GetLastError.KERNEL32(?,?,?,00028770,00000000,00000000,00000000,00000000,00000000), ref: 0005492F
                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00055C09,?,?,?,?,?,?,?,00010000,?), ref: 000563C0
                                                                                                                          • WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,00055C09,?,?,?,?), ref: 00056412
                                                                                                                          • GetLastError.KERNEL32(?,00055C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00056458
                                                                                                                          • GetLastError.KERNEL32(?,00055C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 0005647E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLast$Write$Pointer
                                                                                                                          • String ID: dlutil.cpp
                                                                                                                          • API String ID: 133221148-2067379296
                                                                                                                          • Opcode ID: aba6625f54e43ce05b51be4dfcacb0054b070d5e09f8ec25ddeb3ebe360c36bd
                                                                                                                          • Instruction ID: 39790ca631832dba2e7a89e81cb8abeeb2d03f5df9b73780458a26ae439292f1
                                                                                                                          • Opcode Fuzzy Hash: aba6625f54e43ce05b51be4dfcacb0054b070d5e09f8ec25ddeb3ebe360c36bd
                                                                                                                          • Instruction Fuzzy Hash: 9B41AE72940219BFEB218E94CC45BEF7BA9EF04362F544125FD00A7190D736DD64DBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00012428 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,0004FFEF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0004FFEF,000312CF,?,00000000), ref: 0001246E
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0004FFEF,000312CF,?,00000000,0000FDE9,?,000312CF), ref: 0001247A
                                                                                                                            • Part of subcall function 00013BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,000121CC,000001C7,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013BDB
                                                                                                                            • Part of subcall function 00013BD3: HeapSize.KERNEL32(00000000,?,000121CC,000001C7,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013BE2
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                                                                                                                          • String ID: strutil.cpp
                                                                                                                          • API String ID: 3662877508-3612885251
                                                                                                                          • Opcode ID: 0542f23704ec08b413943e75aa0a38bcd6322adc968a23f99b12e498d5a27473
                                                                                                                          • Instruction ID: acde1da2e0facbb17c242a3d13366e8ee8cf52d7a23027def9579ee485c3a776
                                                                                                                          • Opcode Fuzzy Hash: 0542f23704ec08b413943e75aa0a38bcd6322adc968a23f99b12e498d5a27473
                                                                                                                          • Instruction Fuzzy Hash: D031D83130071AAFEB209E658CD4AFB37DEAB54368B104229FE119B291E775DCE19760
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003AD44 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 0003ADB3
                                                                                                                          Strings
                                                                                                                          • Failed to extract payload: %ls from container: %ls, xrefs: 0003AE3E
                                                                                                                          • Failed to open container: %ls., xrefs: 0003AD85
                                                                                                                          • Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 0003AE4A
                                                                                                                          • Failed to extract all payloads from container: %ls, xrefs: 0003ADF7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareString
                                                                                                                          • String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
                                                                                                                          • API String ID: 1825529933-3891707333
                                                                                                                          • Opcode ID: b72a2d5d7df756752db554ab6cef8a9ca210253825e483ff316e558829efa828
                                                                                                                          • Instruction ID: b3b3a38ca474b36cfb5fe115dad3f720eeac55fa3c11bd2ec2db8664114cc58c
                                                                                                                          • Opcode Fuzzy Hash: b72a2d5d7df756752db554ab6cef8a9ca210253825e483ff316e558829efa828
                                                                                                                          • Instruction Fuzzy Hash: AF310332E00215BBCF22AAE0CC46EDF77ADAF05711F104611FE51A7192E735DA64DBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00057A10 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00057AF4
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00057AFF
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00057B0A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeString$Heap$AllocateProcess
                                                                                                                          • String ID: `<u$atomutil.cpp
                                                                                                                          • API String ID: 2724874077-4051019476
                                                                                                                          • Opcode ID: 67bc42dc4a320a19621e91611b5f9f4b5fc67556fbc8d30f2fe3384bf7303acf
                                                                                                                          • Instruction ID: f30a47863d3a269cccc8d7b9a5bfa426ce937769c95fada79a17d1e9f7d9f120
                                                                                                                          • Opcode Fuzzy Hash: 67bc42dc4a320a19621e91611b5f9f4b5fc67556fbc8d30f2fe3384bf7303acf
                                                                                                                          • Instruction Fuzzy Hash: 9331A432D04229BBDB229B94DC45EDFBBA8EF40751F114161ED04AB111D7719E48AB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001F005 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,00020654,00000001,00000001,00000001,00020654,00000000), ref: 0001F07D
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,00020654,00000001,00000001,00000001,00020654,00000000,00000001,00000000,?,00020654,00000001), ref: 0001F09A
                                                                                                                          Strings
                                                                                                                          • Failed to format key for update registration., xrefs: 0001F033
                                                                                                                          • PackageVersion, xrefs: 0001F05E
                                                                                                                          • Failed to remove update registration key: %ls, xrefs: 0001F0C7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCompareString
                                                                                                                          • String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
                                                                                                                          • API String ID: 446873843-3222553582
                                                                                                                          • Opcode ID: dc2db0e0cd5948bd1847ad2d21daff79775c6783d73cbf91b603f546263051b0
                                                                                                                          • Instruction ID: 4dd595a91894e817e988f7a00abeeababa2e2df42613f52f5ae27a853e61d94c
                                                                                                                          • Opcode Fuzzy Hash: dc2db0e0cd5948bd1847ad2d21daff79775c6783d73cbf91b603f546263051b0
                                                                                                                          • Instruction Fuzzy Hash: FF21753190122ABADB22ABA5CD09FFFBEB8EF45721F100275BD14A7192E7355A40D690
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0005433D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00054440: FindFirstFileW.KERNEL32(0003923A,?,00000100,00000000,00000000), ref: 0005447B
                                                                                                                            • Part of subcall function 00054440: FindClose.KERNEL32(00000000), ref: 00054487
                                                                                                                          • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00054430
                                                                                                                            • Part of subcall function 00050F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0007AAA0,00000000,?,000557E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00050F80
                                                                                                                            • Part of subcall function 00051217: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 0005123F
                                                                                                                            • Part of subcall function 00051217: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,000270E8,00000100,000000B0,00000088,00000410,000002C0), ref: 00051276
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseFindQueryValue$FileFirstOpen
                                                                                                                          • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
                                                                                                                          • API String ID: 3397690329-3978359083
                                                                                                                          • Opcode ID: f9d25d79ed94c8ed19e59d2e84278c3cacaafd59df9532a45152216295144f24
                                                                                                                          • Instruction ID: 907f2eb5f53e4cac2defffa0342097e9ba691b53c92e62f87fb6795bc1f389c6
                                                                                                                          • Opcode Fuzzy Hash: f9d25d79ed94c8ed19e59d2e84278c3cacaafd59df9532a45152216295144f24
                                                                                                                          • Instruction Fuzzy Hash: AF318D31D40209BADF20AF91CC41AEFBBB5EB0075AF54817AED04AA151E7359ED8CF50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00054019 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CopyFileW.KERNEL32(00000000,00014DBC,00000000,?,?,00000000,?,0005412D,00000000,00014DBC,00000000,00000000,?,000285EE,?,?), ref: 00054033
                                                                                                                          • GetLastError.KERNEL32(?,0005412D,00000000,00014DBC,00000000,00000000,?,000285EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 00054041
                                                                                                                          • CopyFileW.KERNEL32(00000000,00014DBC,00000000,00014DBC,00000000,?,0005412D,00000000,00014DBC,00000000,00000000,?,000285EE,?,?,00000001), ref: 000540AC
                                                                                                                          • GetLastError.KERNEL32(?,0005412D,00000000,00014DBC,00000000,00000000,?,000285EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 000540B6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CopyErrorFileLast
                                                                                                                          • String ID: fileutil.cpp
                                                                                                                          • API String ID: 374144340-2967768451
                                                                                                                          • Opcode ID: 94708819e2183a4d7b065ec35eb41422563df6f7fa066609b86688cd79efe097
                                                                                                                          • Instruction ID: b1c9fe552d0622f06b31fdadd1f8d5095b97ebfab9420811889a6da503cd223f
                                                                                                                          • Opcode Fuzzy Hash: 94708819e2183a4d7b065ec35eb41422563df6f7fa066609b86688cd79efe097
                                                                                                                          • Instruction Fuzzy Hash: D521C136600332A7EF700AA54C40BFB76D8EF10B6AB241535EF04DB191E7758CC882E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001EF1B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 0001EF56
                                                                                                                            • Part of subcall function 00054153: SetFileAttributesW.KERNEL32(0003923A,00000080,00000000,0003923A,000000FF,00000000,?,?,0003923A), ref: 00054182
                                                                                                                            • Part of subcall function 00054153: GetLastError.KERNEL32(?,?,0003923A), ref: 0005418C
                                                                                                                            • Part of subcall function 00013C6B: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,0001EFA1,00000001,00000000,00000095,00000001,00020663,00000095,00000000,swidtag,00000001), ref: 00013C88
                                                                                                                          Strings
                                                                                                                          • Failed to allocate regid folder path., xrefs: 0001EFBC
                                                                                                                          • Failed to format tag folder path., xrefs: 0001EFC3
                                                                                                                          • swidtag, xrefs: 0001EF65
                                                                                                                          • Failed to allocate regid file path., xrefs: 0001EFB5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesDirectoryErrorFileLastOpen@16Remove
                                                                                                                          • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
                                                                                                                          • API String ID: 1428973842-4170906717
                                                                                                                          • Opcode ID: 86737a6c35327b04cc8d12a90d6d55dc4b66bb5c18fcd8a3ac15b451f5e36de8
                                                                                                                          • Instruction ID: 824c1e78f481720aff48e9dde81ee6dcc9a54c0a7252a0ec52a97ebaf32cfff2
                                                                                                                          • Opcode Fuzzy Hash: 86737a6c35327b04cc8d12a90d6d55dc4b66bb5c18fcd8a3ac15b451f5e36de8
                                                                                                                          • Instruction Fuzzy Hash: 1B21AC31D00558BBCB15EB98CC02ADEFBB5EF44310F1480B9FC14AB2A2D7719E929B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00038DB6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00050F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0007AAA0,00000000,?,000557E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00050F80
                                                                                                                          • CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 00038E3A
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,0001F7E0,00000001,00000100,000001B4,00000000), ref: 00038E88
                                                                                                                          Strings
                                                                                                                          • Failed to enumerate uninstall key for related bundles., xrefs: 00038E99
                                                                                                                          • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00038DD7
                                                                                                                          • Failed to open uninstall registry key., xrefs: 00038DFD
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCompareOpenString
                                                                                                                          • String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                                          • API String ID: 2817536665-2531018330
                                                                                                                          • Opcode ID: 2f3624bf0e378cedb1020e2be684eb72988bf0907b2a382fb57120f4446f82da
                                                                                                                          • Instruction ID: be1ad51505059ff30772e129bdaa7ed6d8039667b5884fca03aacfb60e0413d8
                                                                                                                          • Opcode Fuzzy Hash: 2f3624bf0e378cedb1020e2be684eb72988bf0907b2a382fb57120f4446f82da
                                                                                                                          • Instruction Fuzzy Hash: 47219736940328FFDF22AAA4CC46FEFBABDEB00721F2485A4F91066051DB755E50D790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003D259 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0003D2EE
                                                                                                                          • ReleaseMutex.KERNEL32(?), ref: 0003D31C
                                                                                                                          • SetEvent.KERNEL32(?), ref: 0003D325
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
                                                                                                                          • String ID: Failed to allocate buffer.$NetFxChainer.cpp
                                                                                                                          • API String ID: 944053411-3611226795
                                                                                                                          • Opcode ID: 057714f6c9c20ef5a4505a3fafd3bb8e450e7539a3e4bf75ead77bd780781ee8
                                                                                                                          • Instruction ID: e1c7c96113df844933c415fcaabf9a31dd32f37c59f3164bd778a7d28bf5a80e
                                                                                                                          • Opcode Fuzzy Hash: 057714f6c9c20ef5a4505a3fafd3bb8e450e7539a3e4bf75ead77bd780781ee8
                                                                                                                          • Instruction Fuzzy Hash: 0621A1B4A00306FFDB109F68D844A9EB7F9FF48320F108629F964A7352C775AD508B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00055907 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,00036B11,00000000,?), ref: 0005591D
                                                                                                                          • GetLastError.KERNEL32(?,?,00036B11,00000000,?,?,?,?,?,?,?,?,?,00036F28,?,?), ref: 0005592B
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,00036B11,00000000,?), ref: 00055965
                                                                                                                          • GetLastError.KERNEL32(?,?,00036B11,00000000,?,?,?,?,?,?,?,?,?,00036F28,?,?), ref: 0005596F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ConfigErrorHeapLastQueryService$AllocateProcess
                                                                                                                          • String ID: svcutil.cpp
                                                                                                                          • API String ID: 355237494-1746323212
                                                                                                                          • Opcode ID: 2c2c0738bc19beaedc4ea128213519f68350e2f84d257efae23905c13362797e
                                                                                                                          • Instruction ID: 9733774e4342747c5283f827bb0ccca4b586a24ea2cc754466c0ef9393589774
                                                                                                                          • Opcode Fuzzy Hash: 2c2c0738bc19beaedc4ea128213519f68350e2f84d257efae23905c13362797e
                                                                                                                          • Instruction Fuzzy Hash: 8A212036941A35FBE7315A918C14BAFBAA9AF80B73F110014FD05AB240EA2D8E0496E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00053245 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00053258
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00053264
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 000532D8
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 000532E3
                                                                                                                            • Part of subcall function 00053498: SysAllocString.OLEAUT32(?), ref: 000534AD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$AllocVariant$ClearFreeInit
                                                                                                                          • String ID: `<u
                                                                                                                          • API String ID: 347726874-3367579956
                                                                                                                          • Opcode ID: 575a76f3932fb4758daa623544b911789767a96e6e585928260e59ac4b399b56
                                                                                                                          • Instruction ID: 3f17ca85abe6c5d6a4a7b1b2a3719828a1288701bba3a2c9f4ec7eba50e3ac56
                                                                                                                          • Opcode Fuzzy Hash: 575a76f3932fb4758daa623544b911789767a96e6e585928260e59ac4b399b56
                                                                                                                          • Instruction Fuzzy Hash: 37213D31901619AFCB15DBA4C858EAFBBF9EF48756F104558EC01AB220D731AE09CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00019839 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _memcpy_s
                                                                                                                          • String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
                                                                                                                          • API String ID: 2001391462-1605196437
                                                                                                                          • Opcode ID: b41dd90e26332f32a834253e06601c70776161991045eda0151e458e26d58248
                                                                                                                          • Instruction ID: a33d0d5152d6eb9daca6b992eb5fc84c66c6a5574cf3fb459f0bf02a5d888e31
                                                                                                                          • Opcode Fuzzy Hash: b41dd90e26332f32a834253e06601c70776161991045eda0151e458e26d58248
                                                                                                                          • Instruction Fuzzy Hash: 7F11E732580224B6EF252D6C9C96DDB3A64EF16721F044466FE04AE193CE62C994D7E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00019E16 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 00019E38
                                                                                                                          Strings
                                                                                                                          • Failed to set variable., xrefs: 00019E97
                                                                                                                          • File search: %ls, did not find path: %ls, xrefs: 00019EA3
                                                                                                                          • Failed to format path string., xrefs: 00019E43
                                                                                                                          • Failed get file version., xrefs: 00019E78
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Open@16
                                                                                                                          • String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
                                                                                                                          • API String ID: 3613110473-2458530209
                                                                                                                          • Opcode ID: a8e12eece61bc03f6691a04ae84fa7babe4ad5677f246822be72b320c2b80d0d
                                                                                                                          • Instruction ID: e5c4f2c5b180858ca7047c79a1f8a51205decbc07d0ffad9c9c69a8f7d6c7844
                                                                                                                          • Opcode Fuzzy Hash: a8e12eece61bc03f6691a04ae84fa7babe4ad5677f246822be72b320c2b80d0d
                                                                                                                          • Instruction Fuzzy Hash: 7511D036D40128BBDB12AE94CC428EFBBB8EF14755F104166FD00AA211D7325E949BC1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002820F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          • CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,00028E17,0000001A,00000000,?,00000000,00000000), ref: 00028258
                                                                                                                          • GetLastError.KERNEL32(?,?,00028E17,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 00028262
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$AllocateCreateErrorKnownLastProcessWell
                                                                                                                          • String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
                                                                                                                          • API String ID: 2186923214-2110050797
                                                                                                                          • Opcode ID: 33b1ecb4877f11e611ff6f78cf74aa2088535e4a4d71e4254011d09c6cdca005
                                                                                                                          • Instruction ID: d7f56a49df011e43ecbfd75509953d813fe1198c3e41b0e758074b86471329d6
                                                                                                                          • Opcode Fuzzy Hash: 33b1ecb4877f11e611ff6f78cf74aa2088535e4a4d71e4254011d09c6cdca005
                                                                                                                          • Instruction Fuzzy Hash: 6D01253B542631F7D6316695AC0AEDF6A999F40B71F214016FD04BB281EE748D4082E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003DDA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 0003DDCE
                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0003DDF8
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0003DFC8,00000000,?,?,?,?,00000000), ref: 0003DE00
                                                                                                                          Strings
                                                                                                                          • Failed while waiting for download., xrefs: 0003DE2E
                                                                                                                          • bitsengine.cpp, xrefs: 0003DE24
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastMessageMultipleObjectsPeekWait
                                                                                                                          • String ID: Failed while waiting for download.$bitsengine.cpp
                                                                                                                          • API String ID: 435350009-228655868
                                                                                                                          • Opcode ID: ddf78cbe091ffcabfc95e1f9a753ef8a46233e212c38c48af5d70b4b305e1ef6
                                                                                                                          • Instruction ID: 4c89dd3e7abe213cdb9bc8480ec84f593c9a8415438a97d77829f62ba6ef265a
                                                                                                                          • Opcode Fuzzy Hash: ddf78cbe091ffcabfc95e1f9a753ef8a46233e212c38c48af5d70b4b305e1ef6
                                                                                                                          • Instruction Fuzzy Hash: 4511C673A41235B7E7215AA9AC09EEFBE9CDB04721F010126FE05FB185DA65990085E4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00050764 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63filestringCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenA.KERNEL32(000312CF,00000000,00000000,?,?,?,00050013,000312CF,000312CF,?,00000000,0000FDE9,?,000312CF,8007139F,Invalid operation for this state.), ref: 00050776
                                                                                                                          • WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000,?,?,00050013,000312CF,000312CF,?,00000000,0000FDE9,?,000312CF,8007139F), ref: 000507B2
                                                                                                                          • GetLastError.KERNEL32(?,?,00050013,000312CF,000312CF,?,00000000,0000FDE9,?,000312CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 000507BC
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastWritelstrlen
                                                                                                                          • String ID: P o$logutil.cpp
                                                                                                                          • API String ID: 606256338-508742946
                                                                                                                          • Opcode ID: f79db0d4c9655786238bb58757bf125f4cfb87d5be33b0ab07f24f27b1c176c0
                                                                                                                          • Instruction ID: fe48390447da1a26dfa795cbe83533d0e1a779726b53f3d399e4db3dc979cc92
                                                                                                                          • Opcode Fuzzy Hash: f79db0d4c9655786238bb58757bf125f4cfb87d5be33b0ab07f24f27b1c176c0
                                                                                                                          • Instruction Fuzzy Hash: 8911CA72E0422DABD3209A65CD44AAFBAACEB49762B114254FD05E7140E735BD40C9E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00015F2E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetComputerNameW.KERNEL32(?,00000010), ref: 00015F5C
                                                                                                                          • GetLastError.KERNEL32 ref: 00015F66
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ComputerErrorLastName
                                                                                                                          • String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
                                                                                                                          • API String ID: 3560734967-484636765
                                                                                                                          • Opcode ID: 90011682cb1ce50a7cc5d437ff467c21d264ae11d5d867d2bb3ad4375d471f8f
                                                                                                                          • Instruction ID: 6aad14ab442847b0d3f1d841ff8dde793e66da70f7f644e8a1cbe0cdbfe88720
                                                                                                                          • Opcode Fuzzy Hash: 90011682cb1ce50a7cc5d437ff467c21d264ae11d5d867d2bb3ad4375d471f8f
                                                                                                                          • Instruction Fuzzy Hash: 18110C33A41628ABD721DB94DC05BDFB7E8EB48712F01006AFD00FF280DA75AE4486E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000167AA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 56COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 000167E3
                                                                                                                          • GetLastError.KERNEL32 ref: 000167ED
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastPathTemp
                                                                                                                          • String ID: Failed to get temp path.$Failed to set variant value.$variable.cpp
                                                                                                                          • API String ID: 1238063741-2915113195
                                                                                                                          • Opcode ID: 28289ecdc873c783f51e39ded1d1ae1d0e7afab6305c37bfa3db93af1d3f7874
                                                                                                                          • Instruction ID: eb2c61ec6161c5ab328ff20081dd596f0c6a9f2bd4d42940faeb3034471a6c11
                                                                                                                          • Opcode Fuzzy Hash: 28289ecdc873c783f51e39ded1d1ae1d0e7afab6305c37bfa3db93af1d3f7874
                                                                                                                          • Instruction Fuzzy Hash: 0C012672E423396BE720AB549C06FEF779C9B00B11F100265FE04FB282EF65AD4486D5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00050A28 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00014F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00050A38
                                                                                                                          • GetLastError.KERNEL32(?,?,00014F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00050A46
                                                                                                                          • GetExitCodeProcess.KERNEL32(000000FF,?), ref: 00050A8B
                                                                                                                          • GetLastError.KERNEL32(?,?,00014F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00050A95
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CodeExitObjectProcessSingleWait
                                                                                                                          • String ID: procutil.cpp
                                                                                                                          • API String ID: 590199018-1178289305
                                                                                                                          • Opcode ID: 2863812f1bdcaadf49b9bd7ee0f02f24260021f413d1f6e919bc764ceadb976b
                                                                                                                          • Instruction ID: dab11592f37c1b1991190df419f668d5b6b691832651617bf18806b3f71ae859
                                                                                                                          • Opcode Fuzzy Hash: 2863812f1bdcaadf49b9bd7ee0f02f24260021f413d1f6e919bc764ceadb976b
                                                                                                                          • Instruction Fuzzy Hash: E6110837D01736E7DB308B908D08AAFBAE4EF04762F128255FD14AB280D7359D04D6D2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00015E94 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00015EA6
                                                                                                                            • Part of subcall function 00050ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00015EB2,00000000), ref: 00050AE0
                                                                                                                            • Part of subcall function 00050ACC: GetProcAddress.KERNEL32(00000000), ref: 00050AE7
                                                                                                                            • Part of subcall function 00050ACC: GetLastError.KERNEL32(?,?,?,00015EB2,00000000), ref: 00050AFE
                                                                                                                            • Part of subcall function 00053D1F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00053D4C
                                                                                                                          Strings
                                                                                                                          • Failed to get shell folder., xrefs: 00015EDA
                                                                                                                          • Failed to set variant value., xrefs: 00015F0A
                                                                                                                          • Failed to get 64-bit folder., xrefs: 00015EF0
                                                                                                                          • variable.cpp, xrefs: 00015ED0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
                                                                                                                          • String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
                                                                                                                          • API String ID: 2084161155-3906113122
                                                                                                                          • Opcode ID: 5d666c8027ce898ae60167ba370cbb8a94622ed7019c12037866b451553aff9b
                                                                                                                          • Instruction ID: baf93c759c397ca090c095a5ae5f9a172790b7c5127108b1349cfc6f599211e2
                                                                                                                          • Opcode Fuzzy Hash: 5d666c8027ce898ae60167ba370cbb8a94622ed7019c12037866b451553aff9b
                                                                                                                          • Instruction Fuzzy Hash: 60016531941A18FBDF22A790CC06FEF7A69EB00753F104155FD00BE181DB759A8496D5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00054153 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00054440: FindFirstFileW.KERNEL32(0003923A,?,00000100,00000000,00000000), ref: 0005447B
                                                                                                                            • Part of subcall function 00054440: FindClose.KERNEL32(00000000), ref: 00054487
                                                                                                                          • SetFileAttributesW.KERNEL32(0003923A,00000080,00000000,0003923A,000000FF,00000000,?,?,0003923A), ref: 00054182
                                                                                                                          • GetLastError.KERNEL32(?,?,0003923A), ref: 0005418C
                                                                                                                          • DeleteFileW.KERNEL32(0003923A,00000000,0003923A,000000FF,00000000,?,?,0003923A), ref: 000541AC
                                                                                                                          • GetLastError.KERNEL32(?,?,0003923A), ref: 000541B6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
                                                                                                                          • String ID: fileutil.cpp
                                                                                                                          • API String ID: 3967264933-2967768451
                                                                                                                          • Opcode ID: d29aa0b27fdc55b6458b454a35bda139c0bb31ec73c431a789b7ce8c7ced60ca
                                                                                                                          • Instruction ID: 432665dc58e1d3fec7028da81f7b61e1d8b0a20a1deabe1801b20aad8c0572a6
                                                                                                                          • Opcode Fuzzy Hash: d29aa0b27fdc55b6458b454a35bda139c0bb31ec73c431a789b7ce8c7ced60ca
                                                                                                                          • Instruction Fuzzy Hash: 8201D232E42B35A7EB714AA68D04BEF7ED8AF24767F010210FD45EA1D0D7219DC485D8
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003DA05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0003DA1A
                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0003DA5F
                                                                                                                          • SetEvent.KERNEL32(?,?,?,?), ref: 0003DA73
                                                                                                                          Strings
                                                                                                                          • Failed to get state during job modification., xrefs: 0003DA33
                                                                                                                          • Failure while sending progress during BITS job modification., xrefs: 0003DA4E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterEventLeave
                                                                                                                          • String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
                                                                                                                          • API String ID: 3094578987-1258544340
                                                                                                                          • Opcode ID: 9cf4b8409625f5cfc0ea7daf1677f8312538f49c56a053e46dbd12b606507e5c
                                                                                                                          • Instruction ID: bf3ad9df224c167cdf92a8e6f22e9b25e94450605d41a4c9cc898f8da51bddd4
                                                                                                                          • Opcode Fuzzy Hash: 9cf4b8409625f5cfc0ea7daf1677f8312538f49c56a053e46dbd12b606507e5c
                                                                                                                          • Instruction Fuzzy Hash: 6101D272A04A24FBDB12DB55E948AAFB7ACFF05322F008206F908D7200D735AD04C6D5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003DC7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,0003DDEE), ref: 0003DC92
                                                                                                                          • LeaveCriticalSection.KERNEL32(00000008,?,0003DDEE), ref: 0003DCD7
                                                                                                                          • SetEvent.KERNEL32(?,?,0003DDEE), ref: 0003DCEB
                                                                                                                          Strings
                                                                                                                          • Failure while sending progress., xrefs: 0003DCC6
                                                                                                                          • Failed to get BITS job state., xrefs: 0003DCAB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterEventLeave
                                                                                                                          • String ID: Failed to get BITS job state.$Failure while sending progress.
                                                                                                                          • API String ID: 3094578987-2876445054
                                                                                                                          • Opcode ID: 1e8378ef6ffb9f4596d2d39f6bdf10546e4479cd636209bea63bfdfce2c679a8
                                                                                                                          • Instruction ID: d155582537345b2073b3f6b87cd7985ad7b83eea00f4448c973e4c0bd583fb78
                                                                                                                          • Opcode Fuzzy Hash: 1e8378ef6ffb9f4596d2d39f6bdf10546e4479cd636209bea63bfdfce2c679a8
                                                                                                                          • Instruction Fuzzy Hash: A101F132A11B26FBCB129B55E84999FBBACFF04321F004256F90897600DB75AD04C7E4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003D7E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,0003DF52,?,?,?,?,?,?,00000000,00000000), ref: 0003D802
                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,0003DF52,?,?,?,?,?,?,00000000,00000000), ref: 0003D80D
                                                                                                                          • GetLastError.KERNEL32(?,0003DF52,?,?,?,?,?,?,00000000,00000000), ref: 0003D81A
                                                                                                                          Strings
                                                                                                                          • Failed to create BITS job complete event., xrefs: 0003D848
                                                                                                                          • bitsengine.cpp, xrefs: 0003D83E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateCriticalErrorEventInitializeLastSection
                                                                                                                          • String ID: Failed to create BITS job complete event.$bitsengine.cpp
                                                                                                                          • API String ID: 3069647169-3441864216
                                                                                                                          • Opcode ID: b8061499baa7faab5e3b7934708135f6829a2f0c83ff068d5a9e28a4a311d6ce
                                                                                                                          • Instruction ID: 452ba1dd330b013789ca55b7ba262acf8fed3cb5176ae9c2b1b867f6e379d285
                                                                                                                          • Opcode Fuzzy Hash: b8061499baa7faab5e3b7934708135f6829a2f0c83ff068d5a9e28a4a311d6ce
                                                                                                                          • Instruction Fuzzy Hash: F7015276941722ABD3219B59D805A8BBAA8FF09B61F014116FE08E7641DB74A800CBE5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001D4A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00027040,000000B8,00000000,?,00000000,75C0B390), ref: 0001D4B7
                                                                                                                          • InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0001D4C6
                                                                                                                          • LeaveCriticalSection.KERNEL32(000000D0,?,00027040,000000B8,00000000,?,00000000,75C0B390), ref: 0001D4DB
                                                                                                                          Strings
                                                                                                                          • Engine active cannot be changed because it was already in that state., xrefs: 0001D4FE
                                                                                                                          • userexperience.cpp, xrefs: 0001D4F4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
                                                                                                                          • String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
                                                                                                                          • API String ID: 3376869089-1544469594
                                                                                                                          • Opcode ID: 2cb4384a06ee12b0e55bf27cebb97f98df932fc05effd6594f30adf42bc6f4bb
                                                                                                                          • Instruction ID: ecf8adaf9718709fbfa61f4d06256f9aff680fad862fc14ce7f30483acdccdd1
                                                                                                                          • Opcode Fuzzy Hash: 2cb4384a06ee12b0e55bf27cebb97f98df932fc05effd6594f30adf42bc6f4bb
                                                                                                                          • Instruction Fuzzy Hash: 5CF0AF363407086FEB20AEA6DC88CDB77ADFB95762700442AFA05C7140DA78F8058770
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00051C88 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00051CB3
                                                                                                                          • GetLastError.KERNEL32(?,000149DA,00000001,?,?,00014551,?,?,?,?,00015466,?,?,?,?), ref: 00051CC2
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressErrorLastProc
                                                                                                                          • String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
                                                                                                                          • API String ID: 199729137-398595594
                                                                                                                          • Opcode ID: b7ebb10d60c71dc431aa1d5a9e10236f40fce0b6197b2fde0d3f9c237773bdf1
                                                                                                                          • Instruction ID: c51a5c773b38ef9001a84dbbe242f6f2e73d6276140b64ed6f1efab950981d15
                                                                                                                          • Opcode Fuzzy Hash: b7ebb10d60c71dc431aa1d5a9e10236f40fce0b6197b2fde0d3f9c237773bdf1
                                                                                                                          • Instruction Fuzzy Hash: 2C016736EC173693D33217A55C09BDB79945B00797F014122EE057B251D62EDC88C6E5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004495D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0004490E,00000000,?,000448AE,00000000,00077F08,0000000C,00044A05,00000000,00000002), ref: 0004497D
                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00044990
                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,0004490E,00000000,?,000448AE,00000000,00077F08,0000000C,00044A05,00000000,00000002), ref: 000449B3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                          • Opcode ID: 01343f1cc764541055fd7ef70a829dc809f624e1ac932466074bd9b20c7f0c63
                                                                                                                          • Instruction ID: 6157ec9925c3579d2f698fafe7dfcfb26ee942ebb0c424b03eda010021a59a48
                                                                                                                          • Opcode Fuzzy Hash: 01343f1cc764541055fd7ef70a829dc809f624e1ac932466074bd9b20c7f0c63
                                                                                                                          • Instruction Fuzzy Hash: A8F04F30A10208BBDB119F94DC19BEFBFB9EB04712F404169F909B6190CB799E81DA99
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00029287 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 139COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32 ref: 000293C9
                                                                                                                            • Part of subcall function 000556CF: GetLastError.KERNEL32(?,?,0002933A,?,00000003,00000000,?), ref: 000556EE
                                                                                                                          Strings
                                                                                                                          • Failed to find expected public key in certificate chain., xrefs: 0002938A
                                                                                                                          • Failed to get certificate public key identifier., xrefs: 000293F7
                                                                                                                          • Failed to read certificate thumbprint., xrefs: 000293BD
                                                                                                                          • cache.cpp, xrefs: 000293ED
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast
                                                                                                                          • String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
                                                                                                                          • API String ID: 1452528299-3408201827
                                                                                                                          • Opcode ID: 31c6766b7e461a9da319d16b85b3d3d2736a49097ec172a507c62859645f3efe
                                                                                                                          • Instruction ID: 7282dd0abedeeafc3bc5224127d2951c05498157f8fdf497cf72b691b65f487a
                                                                                                                          • Opcode Fuzzy Hash: 31c6766b7e461a9da319d16b85b3d3d2736a49097ec172a507c62859645f3efe
                                                                                                                          • Instruction Fuzzy Hash: F1414272E00629ABDB10DBA5D841AEEB7F8BF08714F014165FA05FB291D775EE40CBA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000121AC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 000121F2
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 000121FE
                                                                                                                            • Part of subcall function 00013BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,000121CC,000001C7,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013BDB
                                                                                                                            • Part of subcall function 00013BD3: HeapSize.KERNEL32(00000000,?,000121CC,000001C7,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013BE2
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                                                                                                                          • String ID: strutil.cpp
                                                                                                                          • API String ID: 3662877508-3612885251
                                                                                                                          • Opcode ID: ad8094065becd4d6b5eef1deadae62c6f90c3c8ec6f75e3c01a820c323fd8180
                                                                                                                          • Instruction ID: 71b53b0e2e1b6c8d24bf36cfccd64b7945771f149d68f8690d782c8660e1ffbd
                                                                                                                          • Opcode Fuzzy Hash: ad8094065becd4d6b5eef1deadae62c6f90c3c8ec6f75e3c01a820c323fd8180
                                                                                                                          • Instruction Fuzzy Hash: 6231E73260122ABBD7608EA5CC44AEF3BD5AF55764B210224FD159B290EB75DCE087D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000594FD Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00050F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0007AAA0,00000000,?,000557E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00050F80
                                                                                                                          • RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 000595D5
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 00059610
                                                                                                                          • RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 0005962C
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 00059639
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 00059646
                                                                                                                            • Part of subcall function 00050FD5: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000595C2,00000001), ref: 00050FED
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$InfoOpenQuery
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 796878624-0
                                                                                                                          • Opcode ID: d92a4798966fbadd82556b798c712957ec49b374268eca9a6ee76f35723d585c
                                                                                                                          • Instruction ID: 284859324021e7928c25c188b0c549f6d75fc6e5255e5975ebd633e45cab7d7b
                                                                                                                          • Opcode Fuzzy Hash: d92a4798966fbadd82556b798c712957ec49b374268eca9a6ee76f35723d585c
                                                                                                                          • Instruction Fuzzy Hash: 70415876C0022DFFDF22AF948C819AEFBB9EF04756F1141AAED1476121C3324E589B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00018A07 Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00018BC8,0001972D,?,0001972D,?,?,0001972D,?,?), ref: 00018A27
                                                                                                                          • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00018BC8,0001972D,?,0001972D,?,?,0001972D,?,?), ref: 00018A2F
                                                                                                                          • CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,00018BC8,0001972D,?,0001972D,?), ref: 00018A7E
                                                                                                                          • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00018BC8,0001972D,?,0001972D,?), ref: 00018AE0
                                                                                                                          • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00018BC8,0001972D,?,0001972D,?), ref: 00018B0D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareString$lstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1657112622-0
                                                                                                                          • Opcode ID: b62c201137cde19073d5939cd2ea7c60953030c0caf0c2b8e5580ec425f3c638
                                                                                                                          • Instruction ID: d3005ac51f0457758df3ccbdd2dafddc817e6b185e9164bf629b65d4be0543a9
                                                                                                                          • Opcode Fuzzy Hash: b62c201137cde19073d5939cd2ea7c60953030c0caf0c2b8e5580ec425f3c638
                                                                                                                          • Instruction Fuzzy Hash: 71314E72A04108AFEB658E58CC959EE3FAAEF48390F54C416F90987211CB759AD0DBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000174B7 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(000153BD,WixBundleOriginalSource,?,?,0002A623,840F01E8,WixBundleOriginalSource,?,0007AA90,?,00000000,00015445,00000001,?,?,00015445), ref: 000174C3
                                                                                                                          • LeaveCriticalSection.KERNEL32(000153BD,000153BD,00000000,00000000,?,?,0002A623,840F01E8,WixBundleOriginalSource,?,0007AA90,?,00000000,00015445,00000001,?), ref: 0001752A
                                                                                                                          Strings
                                                                                                                          • Failed to get value of variable: %ls, xrefs: 000174FD
                                                                                                                          • WixBundleOriginalSource, xrefs: 000174BF
                                                                                                                          • Failed to get value as string for variable: %ls, xrefs: 00017519
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                          • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
                                                                                                                          • API String ID: 3168844106-30613933
                                                                                                                          • Opcode ID: 482fb0abc9073401d2670abc5efba1983f1dfebe9380ab101bde8d6a0cfadf53
                                                                                                                          • Instruction ID: 99f53a92be84d112ac2114a5aeca9b3c4da92d6542e53a67eb7bbc1ebd0925ca
                                                                                                                          • Opcode Fuzzy Hash: 482fb0abc9073401d2670abc5efba1983f1dfebe9380ab101bde8d6a0cfadf53
                                                                                                                          • Instruction Fuzzy Hash: 2F017132944529FBDF225E54CC05ADE3F79EF04766F104161FD08AA121C77A9E5097D4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003D152 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CloseHandle.KERNEL32(?,00000000,?,00000000,?,0003D148,00000000), ref: 0003D16D
                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,0003D148,00000000), ref: 0003D179
                                                                                                                          • CloseHandle.KERNEL32(0005B518,00000000,?,00000000,?,0003D148,00000000), ref: 0003D186
                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,0003D148,00000000), ref: 0003D193
                                                                                                                          • UnmapViewOfFile.KERNEL32(0005B4E8,00000000,?,0003D148,00000000), ref: 0003D1A2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseHandle$FileUnmapView
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 260491571-0
                                                                                                                          • Opcode ID: cba2eddf9de060c821f21aa9390c8ac4b8edf646d89ebe9788b818a4a27c8b86
                                                                                                                          • Instruction ID: bd672b21b4a79a79c17ae59f96f1c6a449f0f43eb4e37c60d3cee8fa2ec1ae8e
                                                                                                                          • Opcode Fuzzy Hash: cba2eddf9de060c821f21aa9390c8ac4b8edf646d89ebe9788b818a4a27c8b86
                                                                                                                          • Instruction Fuzzy Hash: 5101F672401B15EFCB32AF66E890817F7E9EF50712715893FE1A652930C771A880DF50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00058713 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00058820
                                                                                                                          • GetLastError.KERNEL32 ref: 0005882A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Time$ErrorFileLastSystem
                                                                                                                          • String ID: clbcatq.dll$timeutil.cpp
                                                                                                                          • API String ID: 2781989572-961924111
                                                                                                                          • Opcode ID: fd46392a113cfaa5d679b31e61b936846db5e8f9fd31af6f5f59206fcb6f2174
                                                                                                                          • Instruction ID: dc9061976bac08e0057fe9ae8b1828a528ce8e7f95d2a268b476906129f9de40
                                                                                                                          • Opcode Fuzzy Hash: fd46392a113cfaa5d679b31e61b936846db5e8f9fd31af6f5f59206fcb6f2174
                                                                                                                          • Instruction Fuzzy Hash: FF412B76E0021AB6D7209BB48C06BBF77B4EF55702F54C529BD01B7191EE35CE0883A1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000536CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VariantInit.OLEAUT32(000002C0), ref: 000536E6
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 000536F6
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 000537D5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$AllocClearInitString
                                                                                                                          • String ID: xmlutil.cpp
                                                                                                                          • API String ID: 2213243845-1270936966
                                                                                                                          • Opcode ID: b83b53d4b9726ad5fec6b4c83f33eff0b13c6f93251028484fcec48ed9c4f06c
                                                                                                                          • Instruction ID: 3f96440729a469e0101a432e423e13f18e537092abd8f269264249db1b8ebd96
                                                                                                                          • Opcode Fuzzy Hash: b83b53d4b9726ad5fec6b4c83f33eff0b13c6f93251028484fcec48ed9c4f06c
                                                                                                                          • Instruction Fuzzy Hash: 964167F5D04229ABCB209FA4C888EAFB7A8AF09751F1545A4FD05EB201D635DE04CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00050E4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00038E1B), ref: 00050EAA
                                                                                                                          • RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00038E1B,00000000), ref: 00050EC8
                                                                                                                          • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,00038E1B,00000000,00000000,00000000), ref: 00050F1E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Enum$InfoQuery
                                                                                                                          • String ID: regutil.cpp
                                                                                                                          • API String ID: 73471667-955085611
                                                                                                                          • Opcode ID: 74010db90678a61cd7797fbd3be5cdbee42b0241ea7686d9e135c9abadbfde50
                                                                                                                          • Instruction ID: b9a8081cad1ecfa3590a105cf78985228f7383395e77561cf2abdca7d6fe6305
                                                                                                                          • Opcode Fuzzy Hash: 74010db90678a61cd7797fbd3be5cdbee42b0241ea7686d9e135c9abadbfde50
                                                                                                                          • Instruction Fuzzy Hash: 7C31CF76D01129BBEB318BC4CC81EAFB7ACEF04761F254065BD04AB210D7768E4497A0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00038B17 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00050F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0007AAA0,00000000,?,000557E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00050F80
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,00038E57,00000000,00000000), ref: 00038BD4
                                                                                                                          Strings
                                                                                                                          • Failed to open uninstall key for potential related bundle: %ls, xrefs: 00038B43
                                                                                                                          • Failed to ensure there is space for related bundles., xrefs: 00038B87
                                                                                                                          • Failed to initialize package from related bundle id: %ls, xrefs: 00038BBA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseOpen
                                                                                                                          • String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
                                                                                                                          • API String ID: 47109696-1717420724
                                                                                                                          • Opcode ID: de94d70c55853ba020bbcb4c7aa039b6044c45ce51f28241c40b74cef6c192a0
                                                                                                                          • Instruction ID: 752e88e130df5842b21f37988e4e020379fd635e84a109959b3117df540a3da1
                                                                                                                          • Opcode Fuzzy Hash: de94d70c55853ba020bbcb4c7aa039b6044c45ce51f28241c40b74cef6c192a0
                                                                                                                          • Instruction Fuzzy Hash: A8216DB294071AFBDB229E84CD46EEEBB7DEB04711F108195F900A6191DB759A20EB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00013B15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,00011474,00000000,80004005,00000000,80004005,00000000,000001C7,?,000113B8), ref: 00013B33
                                                                                                                          • HeapReAlloc.KERNEL32(00000000,?,00011474,00000000,80004005,00000000,80004005,00000000,000001C7,?,000113B8,000001C7,00000100,?,80004005,00000000), ref: 00013B3A
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                            • Part of subcall function 00013BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,000121CC,000001C7,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013BDB
                                                                                                                            • Part of subcall function 00013BD3: HeapSize.KERNEL32(00000000,?,000121CC,000001C7,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013BE2
                                                                                                                          • _memcpy_s.LIBCMT ref: 00013B86
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$Process$AllocAllocateSize_memcpy_s
                                                                                                                          • String ID: memutil.cpp
                                                                                                                          • API String ID: 3406509257-2429405624
                                                                                                                          • Opcode ID: f77ad9d29c26cf821f31f631df0de0be8a1d2f45df3881b0807a5edee15399ec
                                                                                                                          • Instruction ID: 05729212126d4eacc5e1a89ec970ece5a0579a7209aa08665daa24abff5509a2
                                                                                                                          • Opcode Fuzzy Hash: f77ad9d29c26cf821f31f631df0de0be8a1d2f45df3881b0807a5edee15399ec
                                                                                                                          • Instruction Fuzzy Hash: F311E131609618ABCF226E68CC88EEF3A999F40734B054214FE149B262F736CF9497D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0005894D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32 ref: 00058991
                                                                                                                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 000589B9
                                                                                                                          • GetLastError.KERNEL32 ref: 000589C3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastTime$FileSystem
                                                                                                                          • String ID: inetutil.cpp
                                                                                                                          • API String ID: 1528435940-2900720265
                                                                                                                          • Opcode ID: 589cf17f5d9d07e4b43d20a37ddd16686153cec409d96949fd6a4927ceaaa62a
                                                                                                                          • Instruction ID: b916718c1c1eb988d971f947a471d67aa4a15ceb6777964e65ac07f549f8aa17
                                                                                                                          • Opcode Fuzzy Hash: 589cf17f5d9d07e4b43d20a37ddd16686153cec409d96949fd6a4927ceaaa62a
                                                                                                                          • Instruction Fuzzy Hash: FF11E973E01239A7E320DBA9CC05BBFBBACAF44752F014115AE45FB140EA249D0487E2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00023AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00050F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0007AAA0,00000000,?,000557E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00050F80
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00023FB5,feclient.dll,?,00000000,?,?,?,00014B12), ref: 00023B42
                                                                                                                            • Part of subcall function 000510B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0005112B
                                                                                                                            • Part of subcall function 000510B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00051163
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue$CloseOpen
                                                                                                                          • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
                                                                                                                          • API String ID: 1586453840-3596319545
                                                                                                                          • Opcode ID: d2b1ba6f872ddb75467f8e44defee8bd8c8a66157522bc773b74dab3a86c143a
                                                                                                                          • Instruction ID: fa2911850d50cd9bd6eb043b6cf94f8ff0542498f06aa2c9a6c86a06723d4f5d
                                                                                                                          • Opcode Fuzzy Hash: d2b1ba6f872ddb75467f8e44defee8bd8c8a66157522bc773b74dab3a86c143a
                                                                                                                          • Instruction Fuzzy Hash: 69119336B40218BBDB22DF95EC86EAFB7B8EB04B01F400065EB049B091D7769F81D750
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001120A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0001523F,00000000,?), ref: 00011248
                                                                                                                          • GetLastError.KERNEL32(?,?,?,0001523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00011252
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ArgvCommandErrorLastLine
                                                                                                                          • String ID: apputil.cpp$ignored
                                                                                                                          • API String ID: 3459693003-568828354
                                                                                                                          • Opcode ID: 24c0d9efaddb8ebe29f68408ff56a45e91d2a5858f07748d74515dcdf5799073
                                                                                                                          • Instruction ID: 0afadf88a5cfe6a5ea85c4c408ba8a28570ac8b50f04abb5332758be5f2a6b8e
                                                                                                                          • Opcode Fuzzy Hash: 24c0d9efaddb8ebe29f68408ff56a45e91d2a5858f07748d74515dcdf5799073
                                                                                                                          • Instruction Fuzzy Hash: BB118F76901629EB8B25DB99C805DEFBBECEF44750F010155FE04E7251EB31AE50DAA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004E782 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,?,0004E6A0,00000000,000781F8,0000000C), ref: 0004E7D8
                                                                                                                          • GetLastError.KERNEL32(?,0004E6A0,00000000,000781F8,0000000C), ref: 0004E7E2
                                                                                                                          • __dosmaperr.LIBCMT ref: 0004E80D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                          • String ID: nj
                                                                                                                          • API String ID: 2583163307-2988989171
                                                                                                                          • Opcode ID: f94d2b250221be72713f4638a3612f8fb6e0c52758653d3136a1d361814a5f03
                                                                                                                          • Instruction ID: c1090d49594275ee09b486bc4cd10878756b117d8f8abf329ca36f24fe52a42d
                                                                                                                          • Opcode Fuzzy Hash: f94d2b250221be72713f4638a3612f8fb6e0c52758653d3136a1d361814a5f03
                                                                                                                          • Instruction Fuzzy Hash: F20126B2A0829016F6642335E8497BF7BC9AFC1734F254579FC09871C3DFB49C818258
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003D1B3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,0003D3EE,00000000,00000000,00000000,?), ref: 0003D1C3
                                                                                                                          • ReleaseMutex.KERNEL32(?,?,0003D3EE,00000000,00000000,00000000,?), ref: 0003D24A
                                                                                                                            • Part of subcall function 0001394F: GetProcessHeap.KERNEL32(?,000001C7,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013960
                                                                                                                            • Part of subcall function 0001394F: RtlAllocateHeap.NTDLL(00000000,?,00012274,000001C7,00000001,80004005,8007139F,?,?,00050267,8007139F,?,00000000,00000000,8007139F), ref: 00013967
                                                                                                                          Strings
                                                                                                                          • Failed to allocate memory for message data, xrefs: 0003D212
                                                                                                                          • NetFxChainer.cpp, xrefs: 0003D208
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
                                                                                                                          • String ID: Failed to allocate memory for message data$NetFxChainer.cpp
                                                                                                                          • API String ID: 2993511968-1624333943
                                                                                                                          • Opcode ID: ca6aa21c82a7d1606916081309cbd4bc82755e17ccdd207cbfc4e82588235f26
                                                                                                                          • Instruction ID: d652192a695c398838c3b5e5cbc0427d15fa1d8e6859eda25492289cf0f993f5
                                                                                                                          • Opcode Fuzzy Hash: ca6aa21c82a7d1606916081309cbd4bc82755e17ccdd207cbfc4e82588235f26
                                                                                                                          • Instruction Fuzzy Hash: 591191B5300215EFDB159F64E885EAAB7F8FF49720F104265F9149B362C771AC10CBA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00011F69 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FormatMessageW.KERNEL32(0001428F,0001548E,?,00000000,00000000,00000000,?,80070656,?,?,?,0002E75C,00000000,0001548E,00000000,80070656), ref: 00011F9A
                                                                                                                          • GetLastError.KERNEL32(?,?,?,0002E75C,00000000,0001548E,00000000,80070656,?,?,000240BF,0001548E,?,80070656,00000001,crypt32.dll), ref: 00011FA7
                                                                                                                          • LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,0002E75C,00000000,0001548E,00000000,80070656,?,?,000240BF,0001548E), ref: 00011FEE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                          • String ID: strutil.cpp
                                                                                                                          • API String ID: 1365068426-3612885251
                                                                                                                          • Opcode ID: 025c108b1a30113fd3288973b176511a3e50c2ebeba5e97f4a8a574429c3f379
                                                                                                                          • Instruction ID: 1d5a6d1a25a95700efd1286f1ef564f9b3740cea5c69326e4dda6ade6648c235
                                                                                                                          • Opcode Fuzzy Hash: 025c108b1a30113fd3288973b176511a3e50c2ebeba5e97f4a8a574429c3f379
                                                                                                                          • Instruction Fuzzy Hash: 8A016DB791122ABBDB248FD4DC09AEFBAACEB04751F114165BE04E7250E7349E409AE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00020721 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00050F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0007AAA0,00000000,?,000557E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00050F80
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000), ref: 00020791
                                                                                                                          Strings
                                                                                                                          • Failed to open registration key., xrefs: 00020748
                                                                                                                          • Failed to update name and publisher., xrefs: 0002077B
                                                                                                                          • Failed to update resume mode., xrefs: 00020762
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseOpen
                                                                                                                          • String ID: Failed to open registration key.$Failed to update name and publisher.$Failed to update resume mode.
                                                                                                                          • API String ID: 47109696-1865096027
                                                                                                                          • Opcode ID: 37a429bb8f39a3e03edab32fcfa0e2e48cdf5f3e17e4b58610384dc09d4d90c6
                                                                                                                          • Instruction ID: 337eee0ddb0b605f741f3e150e8389ab7c74dc34e6a72e955f518940eab8ca54
                                                                                                                          • Opcode Fuzzy Hash: 37a429bb8f39a3e03edab32fcfa0e2e48cdf5f3e17e4b58610384dc09d4d90c6
                                                                                                                          • Instruction Fuzzy Hash: 0801D832D44339F7CB225684DC46BEE7679AB00B21F140151F900B6151D772BE10ABD0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00054DB3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(0005B500,40000000,00000001,00000000,00000002,00000080,00000000,000204BF,00000000,?,0001F4F4,?,00000080,0005B500,00000000), ref: 00054DCB
                                                                                                                          • GetLastError.KERNEL32(?,0001F4F4,?,00000080,0005B500,00000000,?,000204BF,?,00000094,?,?,?,?,?,00000000), ref: 00054DD8
                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,0001F4F4,?,0001F4F4,?,00000080,0005B500,00000000,?,000204BF,?,00000094), ref: 00054E2C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCreateErrorFileHandleLast
                                                                                                                          • String ID: fileutil.cpp
                                                                                                                          • API String ID: 2528220319-2967768451
                                                                                                                          • Opcode ID: ea660d36c51f40f39d21d420c0caaa836bc36cbfc15f69ba3cd23cd7f9925821
                                                                                                                          • Instruction ID: 65f1e9c432f1d7bd9713fb2eed0749f65953543f39535738acc3f701b386ade6
                                                                                                                          • Opcode Fuzzy Hash: ea660d36c51f40f39d21d420c0caaa836bc36cbfc15f69ba3cd23cd7f9925821
                                                                                                                          • Instruction Fuzzy Hash: 6601D433641225A7D7325E689C06FDF3AA8AB41B76F014310FF21AB1D0D771DC5196E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0005497A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,00038C76,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 000549AE
                                                                                                                          • GetLastError.KERNEL32(?,00038C76,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 000549BB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateErrorFileLast
                                                                                                                          • String ID: fileutil.cpp
                                                                                                                          • API String ID: 1214770103-2967768451
                                                                                                                          • Opcode ID: 27e09a335ea8fd7655529eea500f12413cc090748b5dff565ec7edab83888b8a
                                                                                                                          • Instruction ID: 46a6e4c228cb33442cbf18e4c018a14f4d5896c8277b1d8e51f3d32e10dd5b72
                                                                                                                          • Opcode Fuzzy Hash: 27e09a335ea8fd7655529eea500f12413cc090748b5dff565ec7edab83888b8a
                                                                                                                          • Instruction Fuzzy Hash: 2701D637A80234B7E33126955C0BFEF669CAB00B76F114211FF45AE1C0CB699D5496E4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00036BEB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49serviceCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ControlService.ADVAPI32(00036AFD,00000001,?,00000001,00000000,?,?,?,?,?,?,00036AFD,00000000), ref: 00036C13
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00036AFD,00000000), ref: 00036C1D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ControlErrorLastService
                                                                                                                          • String ID: Failed to stop wusa service.$msuengine.cpp
                                                                                                                          • API String ID: 4114567744-2259829683
                                                                                                                          • Opcode ID: 62018f8b096ce77f0e0f205d81dafbc8bc20ab36090bfab9a5fcc32232bbdbdd
                                                                                                                          • Instruction ID: c32fe6b123e5c11bc930e5f7b80045a2c7458c7eb93d9fe4683e3da222e7dc3e
                                                                                                                          • Opcode Fuzzy Hash: 62018f8b096ce77f0e0f205d81dafbc8bc20ab36090bfab9a5fcc32232bbdbdd
                                                                                                                          • Instruction Fuzzy Hash: 62012033F4133877D7209BA59C05AEF77E8EB48720F014125FE00BB280DA299C0085E4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00053929 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 0005396E
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 000539A1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$AllocFree
                                                                                                                          • String ID: `<u$xmlutil.cpp
                                                                                                                          • API String ID: 344208780-3482516102
                                                                                                                          • Opcode ID: 5767df740ee6961b15e184394f31b2c4e5240d2cd4d3f03036f8a7663002fbf8
                                                                                                                          • Instruction ID: 67b1f54f95b3a3fc061b5cc1033da6605fa7c5a132a8eb33f04558c5321bc2b3
                                                                                                                          • Opcode Fuzzy Hash: 5767df740ee6961b15e184394f31b2c4e5240d2cd4d3f03036f8a7663002fbf8
                                                                                                                          • Instruction Fuzzy Hash: 2601F2B5648315ABDB201A588C05FBF36DCAF41BA2F104435FD44EB341CAB4DE04C290
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000539AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 000539F4
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00053A27
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$AllocFree
                                                                                                                          • String ID: `<u$xmlutil.cpp
                                                                                                                          • API String ID: 344208780-3482516102
                                                                                                                          • Opcode ID: 90fa2b1ddf06dc734493dd5b416e1be923b541a7a7b87725c0b85e7d240c19d6
                                                                                                                          • Instruction ID: 32d2477fe6176c668ef2cbc56c88fe34a1701e6d05af1bf820e9e80957c7dd23
                                                                                                                          • Opcode Fuzzy Hash: 90fa2b1ddf06dc734493dd5b416e1be923b541a7a7b87725c0b85e7d240c19d6
                                                                                                                          • Instruction Fuzzy Hash: 7F01FD79A44315B7E7214A998C09EAF32DCEF417E2F100425FC44EB341CAB8DE04C291
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000568B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0005690F
                                                                                                                            • Part of subcall function 00058713: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00058820
                                                                                                                            • Part of subcall function 00058713: GetLastError.KERNEL32 ref: 0005882A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Time$ErrorFileFreeLastStringSystem
                                                                                                                          • String ID: `<u$atomutil.cpp$clbcatq.dll
                                                                                                                          • API String ID: 211557998-1658759192
                                                                                                                          • Opcode ID: f2c56f87e457dc5a1dadf4eb2b52577aff9c6cc0cb1b457e01cc51ab9eb9a959
                                                                                                                          • Instruction ID: eb47f6c48ad9a39cb7a3a3606e1f4c17552b3b966e91ae6ec4c778b77c449714
                                                                                                                          • Opcode Fuzzy Hash: f2c56f87e457dc5a1dadf4eb2b52577aff9c6cc0cb1b457e01cc51ab9eb9a959
                                                                                                                          • Instruction Fuzzy Hash: B10162B5D0122AFB8B209F85C8458ABFBA8EB15376BA0827AFD04A7111D7725E14D7D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002ECC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 0002ECED
                                                                                                                          • GetLastError.KERNEL32 ref: 0002ECF7
                                                                                                                          Strings
                                                                                                                          • Failed to post elevate message., xrefs: 0002ED25
                                                                                                                          • EngineForApplication.cpp, xrefs: 0002ED1B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastMessagePostThread
                                                                                                                          • String ID: EngineForApplication.cpp$Failed to post elevate message.
                                                                                                                          • API String ID: 2609174426-4098423239
                                                                                                                          • Opcode ID: 4b5ecc8a60a648fae7392adf21e40a149092b42f1b6815e4f93b8d4a7a4e4923
                                                                                                                          • Instruction ID: aa8259042bfc854e760c735700e0b16e7834a36f1c79508cb7e0200f160413f0
                                                                                                                          • Opcode Fuzzy Hash: 4b5ecc8a60a648fae7392adf21e40a149092b42f1b6815e4f93b8d4a7a4e4923
                                                                                                                          • Instruction Fuzzy Hash: 30F0C233A80371ABC7205A98EC09A9B7784AB00B71B254264FE18AF191DB259C0186D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001D8DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 0001D903
                                                                                                                          • FreeLibrary.KERNEL32(?,?,000148D7,00000000,?,?,0001548E,?,?), ref: 0001D912
                                                                                                                          • GetLastError.KERNEL32(?,000148D7,00000000,?,?,0001548E,?,?), ref: 0001D91C
                                                                                                                          Strings
                                                                                                                          • BootstrapperApplicationDestroy, xrefs: 0001D8FB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressErrorFreeLastLibraryProc
                                                                                                                          • String ID: BootstrapperApplicationDestroy
                                                                                                                          • API String ID: 1144718084-3186005537
                                                                                                                          • Opcode ID: 5911d0fcfd88c461897c79936051cfa51f184de366080182d64109d3689af398
                                                                                                                          • Instruction ID: 03cfcb8275f681f9836230f6c818d8d3dd90282226f0ae6443f77ca8ae196458
                                                                                                                          • Opcode Fuzzy Hash: 5911d0fcfd88c461897c79936051cfa51f184de366080182d64109d3689af398
                                                                                                                          • Instruction Fuzzy Hash: 1DF06232600726ABD3604F7AD804B6BF7E8BF04B62B01822AE815D6560D765EC60CBD0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000531EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00053200
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00053230
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$AllocFree
                                                                                                                          • String ID: `<u$xmlutil.cpp
                                                                                                                          • API String ID: 344208780-3482516102
                                                                                                                          • Opcode ID: 0f13344eb915ca4472ee6caa935953f87ff5d5f3a6a1a3f67175a389eff721ae
                                                                                                                          • Instruction ID: cad686e76ffb157a0076c586b49ffcda8dd364c638aa7d785a52a3352a1319ec
                                                                                                                          • Opcode Fuzzy Hash: 0f13344eb915ca4472ee6caa935953f87ff5d5f3a6a1a3f67175a389eff721ae
                                                                                                                          • Instruction Fuzzy Hash: 4EF0BE35501A54A7C7310F849C08FAF77E8AB80BA2F248429FC09AB210C7799E10D6E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00053498 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 000534AD
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 000534DD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$AllocFree
                                                                                                                          • String ID: `<u$xmlutil.cpp
                                                                                                                          • API String ID: 344208780-3482516102
                                                                                                                          • Opcode ID: e6535072cf6bc186219a0858122f8359f7b819cf069576c935a10c947f041555
                                                                                                                          • Instruction ID: 3a92494cdc1d3c6c733a17d5868d2821b038c8fdd6919d8a85c9bc0193964d7b
                                                                                                                          • Opcode Fuzzy Hash: e6535072cf6bc186219a0858122f8359f7b819cf069576c935a10c947f041555
                                                                                                                          • Instruction Fuzzy Hash: 18F05435241215A7C7335F449C08E9F77ECAB41BA2F154516FC056B210C775EE50EAE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002F2D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 0002F2EE
                                                                                                                          • GetLastError.KERNEL32 ref: 0002F2F8
                                                                                                                          Strings
                                                                                                                          • EngineForApplication.cpp, xrefs: 0002F31C
                                                                                                                          • Failed to post plan message., xrefs: 0002F326
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastMessagePostThread
                                                                                                                          • String ID: EngineForApplication.cpp$Failed to post plan message.
                                                                                                                          • API String ID: 2609174426-2952114608
                                                                                                                          • Opcode ID: d3843b99033806f8a573c286b6869d23c44080e6733bf99a1e3a06d0348e829d
                                                                                                                          • Instruction ID: 9829c8757b7ebdfcb146fce36d1b8877ca9511e26d296b060ec2652631fa956f
                                                                                                                          • Opcode Fuzzy Hash: d3843b99033806f8a573c286b6869d23c44080e6733bf99a1e3a06d0348e829d
                                                                                                                          • Instruction Fuzzy Hash: A3F0A7336413326BD73067956C09A9B7F98EF04BA1B024031FE44BF191DA65DD0086D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002F3E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 0002F3FC
                                                                                                                          • GetLastError.KERNEL32 ref: 0002F406
                                                                                                                          Strings
                                                                                                                          • Failed to post shutdown message., xrefs: 0002F434
                                                                                                                          • EngineForApplication.cpp, xrefs: 0002F42A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastMessagePostThread
                                                                                                                          • String ID: EngineForApplication.cpp$Failed to post shutdown message.
                                                                                                                          • API String ID: 2609174426-188808143
                                                                                                                          • Opcode ID: ed56fc7037449294dc73aa23519d8ba846ff68eeae94fbf2f4d1bf71a32af2ac
                                                                                                                          • Instruction ID: 5c471b3d5a1fca7df5cd589228a1b2c27ccd4f2490afbcbcfd7be7db24cd5071
                                                                                                                          • Opcode Fuzzy Hash: ed56fc7037449294dc73aa23519d8ba846ff68eeae94fbf2f4d1bf71a32af2ac
                                                                                                                          • Instruction Fuzzy Hash: D7F0A73764133567D73127956C09E9B7B94BF04BA1B024031BE14BF192EA659D0086D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000307B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetEvent.KERNEL32(0005B478,00000000,?,00031717,?,00000000,?,0001C287,?,00015405,?,000275A5,?,?,00015405,?), ref: 000307BF
                                                                                                                          • GetLastError.KERNEL32(?,00031717,?,00000000,?,0001C287,?,00015405,?,000275A5,?,?,00015405,?,00015445,00000001), ref: 000307C9
                                                                                                                          Strings
                                                                                                                          • cabextract.cpp, xrefs: 000307ED
                                                                                                                          • Failed to set begin operation event., xrefs: 000307F7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorEventLast
                                                                                                                          • String ID: Failed to set begin operation event.$cabextract.cpp
                                                                                                                          • API String ID: 3848097054-4159625223
                                                                                                                          • Opcode ID: 54f86c24f98cc1a57ef7221fb7804e77cd1609f68641389188cfbf1f6084db23
                                                                                                                          • Instruction ID: 4eb46e1487319ec7ab5384b8a20edc8cd23a98b2200d87622f95abb580a5962c
                                                                                                                          • Opcode Fuzzy Hash: 54f86c24f98cc1a57ef7221fb7804e77cd1609f68641389188cfbf1f6084db23
                                                                                                                          • Instruction Fuzzy Hash: 51F0A037A4363167D32227959D06ACF768C9F05BA1F120165FE45BB241EA18AC00C6E5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002EBCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 0002EBE0
                                                                                                                          • GetLastError.KERNEL32 ref: 0002EBEA
                                                                                                                          Strings
                                                                                                                          • EngineForApplication.cpp, xrefs: 0002EC0E
                                                                                                                          • Failed to post apply message., xrefs: 0002EC18
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastMessagePostThread
                                                                                                                          • String ID: EngineForApplication.cpp$Failed to post apply message.
                                                                                                                          • API String ID: 2609174426-1304321051
                                                                                                                          • Opcode ID: 1f00a94f0afc8232d286d400e99c4258dcda9a307c5e89ecf4837175fb30b70c
                                                                                                                          • Instruction ID: c7c4597c8e8557161f1d34c2093db4566cf49d8b3ffc4ee45f4db8371f80be6b
                                                                                                                          • Opcode Fuzzy Hash: 1f00a94f0afc8232d286d400e99c4258dcda9a307c5e89ecf4837175fb30b70c
                                                                                                                          • Instruction Fuzzy Hash: 65F0A733A8133567D73117D5EC0DE8BBE88EF04BB1B124010FE18BF191DA65AD0086E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0002EC5C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 0002EC71
                                                                                                                          • GetLastError.KERNEL32 ref: 0002EC7B
                                                                                                                          Strings
                                                                                                                          • EngineForApplication.cpp, xrefs: 0002EC9F
                                                                                                                          • Failed to post detect message., xrefs: 0002ECA9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastMessagePostThread
                                                                                                                          • String ID: EngineForApplication.cpp$Failed to post detect message.
                                                                                                                          • API String ID: 2609174426-598219917
                                                                                                                          • Opcode ID: 2741e5842e38507def92e0ea9545d02f8348b4e7148b0c878b93a644a422334d
                                                                                                                          • Instruction ID: 2b08dd3938c794e828452b91ab7c9bfbadc64fd69b476cf27d84a3ea45deba94
                                                                                                                          • Opcode Fuzzy Hash: 2741e5842e38507def92e0ea9545d02f8348b4e7148b0c878b93a644a422334d
                                                                                                                          • Instruction Fuzzy Hash: 06F0A73368133167D73067D5AC09F9B7F94EF04BB1B124011BE08BF192DA659D00C5D4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00046B76 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __alldvrm$_strrchr
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1036877536-0
                                                                                                                          • Opcode ID: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
                                                                                                                          • Instruction ID: eb73905113c88b1877d2f6cf8116e074d2a3df29a1a1bc0bd78dd5e8f8e4eb64
                                                                                                                          • Opcode Fuzzy Hash: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
                                                                                                                          • Instruction Fuzzy Hash: B6A148B5E003869FDB25CF58C8817BEBBE5EF17310F14417DE4859B282E6368941C75A
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00055EC5 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 163stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen
                                                                                                                          • String ID: dlutil.cpp
                                                                                                                          • API String ID: 1659193697-2067379296
                                                                                                                          • Opcode ID: 874364fef016d967c830469c601e7bfdf1fd1804b468619be5f11afbc4096bba
                                                                                                                          • Instruction ID: 886a775ab54ce545982393e47c625639f4f2ba8aac64d4cbd8ac5a1de89fda02
                                                                                                                          • Opcode Fuzzy Hash: 874364fef016d967c830469c601e7bfdf1fd1804b468619be5f11afbc4096bba
                                                                                                                          • Instruction Fuzzy Hash: 3251D272A01619EBDB219FA4CC949AFBBF9EF88712F054024FE04B7250D736DD458BA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004922B Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,ECE85006,00042444,00000000,00000000,00043479,?,00043479,?,00000001,00042444,ECE85006,00000001,00043479,00043479), ref: 00049278
                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00049301
                                                                                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00049313
                                                                                                                          • __freea.LIBCMT ref: 0004931C
                                                                                                                            • Part of subcall function 0004521A: HeapAlloc.KERNEL32(00000000,?,?,?,00041F87,?,0000015D,?,?,?,?,000433E0,000000FF,00000000,?,?), ref: 0004524C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ByteCharMultiWide$AllocHeapStringType__freea
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 573072132-0
                                                                                                                          • Opcode ID: 27617762144b027fbd97df468bc2c724b5c0f8057bd2e8914cddd3bcc9ee8aa2
                                                                                                                          • Instruction ID: 8a1e94520cdff37d39aa73c3485dcbceb389e029708b944d22c2ac46d40b728d
                                                                                                                          • Opcode Fuzzy Hash: 27617762144b027fbd97df468bc2c724b5c0f8057bd2e8914cddd3bcc9ee8aa2
                                                                                                                          • Instruction Fuzzy Hash: 01319AB2A0020AABDF259F64CC85EAF7BA5EB41311B090178FC04D6191EB35DD91CBA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00014FA4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CloseHandle.KERNEL32(?,?,?,00000000,?,00015552,?,?,?,?,?,?), ref: 00014FFE
                                                                                                                          • DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,00015552,?,?,?,?,?,?), ref: 00015012
                                                                                                                          • TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00015552,?,?), ref: 00015101
                                                                                                                          • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00015552,?,?), ref: 00015108
                                                                                                                            • Part of subcall function 00011161: LocalFree.KERNEL32(?,?,00014FBB,?,00000000,?,00015552,?,?,?,?,?,?), ref: 0001116B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalDeleteFreeSection$CloseHandleLocal
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3671900028-0
                                                                                                                          • Opcode ID: 3df1686a3fe4cb5f0c3ad514d24ce680ed76ae9f1bb871723423f2b9a5afcd58
                                                                                                                          • Instruction ID: 149e259fe6837fa35c242372b0f6909f5b6cb0120551d68c8b25d9c67a862177
                                                                                                                          • Opcode Fuzzy Hash: 3df1686a3fe4cb5f0c3ad514d24ce680ed76ae9f1bb871723423f2b9a5afcd58
                                                                                                                          • Instruction Fuzzy Hash: 3741EA71500B45ABDA71EBB0CC99FDB73ECAF04342F440C29B69AD7052EB34E5858764
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00014C86 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0001F96C: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,00014CA5,?,?,00000001), ref: 0001F9BC
                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 00014D0C
                                                                                                                          Strings
                                                                                                                          • Failed to get current process path., xrefs: 00014CCA
                                                                                                                          • Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00014CF6
                                                                                                                          • Unable to get resume command line from the registry, xrefs: 00014CAB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$Handle
                                                                                                                          • String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
                                                                                                                          • API String ID: 187904097-642631345
                                                                                                                          • Opcode ID: bf34d1fa808292a6a9220ce8055fa57e8bcf8ad247f1c1e656b469b3c04a72db
                                                                                                                          • Instruction ID: e003ebb474ef835ec6ea3a19f0a92c81cc155f9f6b13ef8788011f676f78b42f
                                                                                                                          • Opcode Fuzzy Hash: bf34d1fa808292a6a9220ce8055fa57e8bcf8ad247f1c1e656b469b3c04a72db
                                                                                                                          • Instruction Fuzzy Hash: 72112E71D01618BBCF22AB95DC028EFBBB8EF50752B1041A6FD10B7221E7319E949B80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000488B2 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00048A56,00000000,00000000,?,00048859,00048A56,00000000,00000000,00000000,?,00048A56,00000006,FlsSetValue), ref: 000488E4
                                                                                                                          • GetLastError.KERNEL32(?,00048859,00048A56,00000000,00000000,00000000,?,00048A56,00000006,FlsSetValue,00072404,0007240C,00000000,00000364,?,00046230), ref: 000488F0
                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00048859,00048A56,00000000,00000000,00000000,?,00048A56,00000006,FlsSetValue,00072404,0007240C,00000000), ref: 000488FE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3177248105-0
                                                                                                                          • Opcode ID: 34cdd420ab25e8863b24d29a65647b413830c6566d3c3176542fe188a1f9598b
                                                                                                                          • Instruction ID: 41a4095378e50fcf09e9cc7f8ad38c91210217d741ca6fa2b75dd757732893e5
                                                                                                                          • Opcode Fuzzy Hash: 34cdd420ab25e8863b24d29a65647b413830c6566d3c3176542fe188a1f9598b
                                                                                                                          • Instruction Fuzzy Hash: 5E01D872641727ABD7314A699C44A6F77D8EF05BA2B144D30F919E3180DB34DC00C7E5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004615E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00041AEC,00000000,80004004,?,00041DF0,00000000,80004004,00000000,00000000), ref: 00046162
                                                                                                                          • SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 000461CA
                                                                                                                          • SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 000461D6
                                                                                                                          • _abort.LIBCMT ref: 000461DC
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$_abort
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 88804580-0
                                                                                                                          • Opcode ID: 7a6bef35bc89585a5ffadcb1b84f26869a1f5ea9e935ae29027a7c3e04ebd183
                                                                                                                          • Instruction ID: 776e87c2597ad992c770cc8444fd7af99fdb794307acfc2a4c5320947bd67755
                                                                                                                          • Opcode Fuzzy Hash: 7a6bef35bc89585a5ffadcb1b84f26869a1f5ea9e935ae29027a7c3e04ebd183
                                                                                                                          • Instruction Fuzzy Hash: E0F0F4F5600B0167D32237256C0AFAF26A98BC3772F290135F919A61B3FF299C42417E
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00017435 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00017441
                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 000174A8
                                                                                                                          Strings
                                                                                                                          • Failed to get value of variable: %ls, xrefs: 0001747B
                                                                                                                          • Failed to get value as numeric for variable: %ls, xrefs: 00017497
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                          • String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
                                                                                                                          • API String ID: 3168844106-4270472870
                                                                                                                          • Opcode ID: 68486b76fbe69c7223b9cd5cd686ffe311439adbee51429bd3253d3bf3352c8a
                                                                                                                          • Instruction ID: b4d16db4fa115799e81c48ae511c3264533fbf3c44f46ac0f524ee7d566e0352
                                                                                                                          • Opcode Fuzzy Hash: 68486b76fbe69c7223b9cd5cd686ffe311439adbee51429bd3253d3bf3352c8a
                                                                                                                          • Instruction Fuzzy Hash: E9017132945228FBDF215E54CD05ADF7F78AF04726F118161FD08AB221C336AE509BD4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000175AA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 000175B6
                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0001761D
                                                                                                                          Strings
                                                                                                                          • Failed to get value of variable: %ls, xrefs: 000175F0
                                                                                                                          • Failed to get value as version for variable: %ls, xrefs: 0001760C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                          • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
                                                                                                                          • API String ID: 3168844106-1851729331
                                                                                                                          • Opcode ID: f35aea706da0a0ecf670350037b0128dd7548804337df27383b8f91c1d4141c1
                                                                                                                          • Instruction ID: ae42796860ac41d88992d768bbd157a233803d5953b9f27788ceb0c57960359f
                                                                                                                          • Opcode Fuzzy Hash: f35aea706da0a0ecf670350037b0128dd7548804337df27383b8f91c1d4141c1
                                                                                                                          • Instruction Fuzzy Hash: 13017C32944A28FBCF225E44CC09ADE7BB9EF10722F004161FD08AA221D7769E909BD4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00017539 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,00019897,00000000,?,00000000,00000000,00000000,?,000196D6,00000000,?,00000000,00000000), ref: 00017545
                                                                                                                          • LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,00019897,00000000,?,00000000,00000000,00000000,?,000196D6,00000000,?,00000000), ref: 0001759B
                                                                                                                          Strings
                                                                                                                          • Failed to copy value of variable: %ls, xrefs: 0001758A
                                                                                                                          • Failed to get value of variable: %ls, xrefs: 0001756B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                          • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
                                                                                                                          • API String ID: 3168844106-2936390398
                                                                                                                          • Opcode ID: 5494bced5dfe009fe85e2872a99eca592db444c430fe5f5768245fcf3740492f
                                                                                                                          • Instruction ID: d4996b6b61d56a6304b3363e61c455e6e1f7b97e5f942c84db722aa9f982b3de
                                                                                                                          • Opcode Fuzzy Hash: 5494bced5dfe009fe85e2872a99eca592db444c430fe5f5768245fcf3740492f
                                                                                                                          • Instruction Fuzzy Hash: F4F01D36944628FBDF125B54CC09DDE7F79EF14366F004150FD08AA221C7769E509B94
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00050173 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(0007B5FC,00000000,00024132,feclient.dll,?,00000000,?,?,?,00014B12,?,?,0005B488,?,00000001,00000000), ref: 0005017A
                                                                                                                          • CloseHandle.KERNEL32(FFFFFFFF,?,?,00014B12,?,?,0005B488,?,00000001,00000000,00000000,?,?,0001548E,?,?), ref: 00050195
                                                                                                                          • LeaveCriticalSection.KERNEL32(0007B5FC,?,?,00014B12,?,?,0005B488,?,00000001,00000000,00000000,?,?,0001548E,?,?), ref: 000501CF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$CloseEnterHandleLeave
                                                                                                                          • String ID: P o
                                                                                                                          • API String ID: 2394387412-3681857481
                                                                                                                          • Opcode ID: 0d5407fb4bf9d2f94f6b8f961caae0dcf6a603fb765fde26979dccc6ed14551a
                                                                                                                          • Instruction ID: e235fdaa2208e76c3f0b6283393fb456753a71bfa7c1957ca7e1d8bc3d136ab3
                                                                                                                          • Opcode Fuzzy Hash: 0d5407fb4bf9d2f94f6b8f961caae0dcf6a603fb765fde26979dccc6ed14551a
                                                                                                                          • Instruction Fuzzy Hash: 65F0FE71A41A018FF7545B25ED4DB6B36A8AB01323F010604F829E31E1C73C9C85CA59
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003E776 Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0003E788
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0003E797
                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0003E7A0
                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 0003E7AD
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2933794660-0
                                                                                                                          • Opcode ID: 9946f78162cb071dd3d89befa466a9f3769c290bb851fa601e9b116afd3bca5a
                                                                                                                          • Instruction ID: 6f529108c7c096072ce857e953f6d9901d8d76e00fa2981d9208a405f93ccda5
                                                                                                                          • Opcode Fuzzy Hash: 9946f78162cb071dd3d89befa466a9f3769c290bb851fa601e9b116afd3bca5a
                                                                                                                          • Instruction Fuzzy Hash: 0FF04D71C1020DEBDB00DBB4D949A9EBBF8EF18316F914895A415E7110EB38AB04DB65
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00050C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00050DD7
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close
                                                                                                                          • String ID: regutil.cpp
                                                                                                                          • API String ID: 3535843008-955085611
                                                                                                                          • Opcode ID: 873fea98d2c608c315c48b5cc4f596f4efc5a9fe4eb88084602b8bc81b58753c
                                                                                                                          • Instruction ID: 8076533efa42c8b123cb7afd2d464425fed4ecebda10ec650833555aedfb4565
                                                                                                                          • Opcode Fuzzy Hash: 873fea98d2c608c315c48b5cc4f596f4efc5a9fe4eb88084602b8bc81b58753c
                                                                                                                          • Instruction Fuzzy Hash: 0141C232D01529ABEB718ED4CC047AF7AB1AB00723F258264FD04AB251D775AD48DBE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0005479B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00050F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0007AAA0,00000000,?,000557E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00050F80
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 000548FC
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseOpen
                                                                                                                          • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                                                          • API String ID: 47109696-3023217399
                                                                                                                          • Opcode ID: 53c1e20daba797d285c040a8d6dd28ec946a23383e9c769480321e6dc719989a
                                                                                                                          • Instruction ID: f6a0813621cc2f7e39cfda4721ab22389e3155d6dd4d171bdf9e25f7662cf1bb
                                                                                                                          • Opcode Fuzzy Hash: 53c1e20daba797d285c040a8d6dd28ec946a23383e9c769480321e6dc719989a
                                                                                                                          • Instruction Fuzzy Hash: C3418E35E00159EBCF20DF98C881AFFBBF9EB44B1AF114069E900A7211DB319E99DB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000510B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0005112B
                                                                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00051163
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue
                                                                                                                          • String ID: regutil.cpp
                                                                                                                          • API String ID: 3660427363-955085611
                                                                                                                          • Opcode ID: 412389929f330264ede806b1ae79f29b170f2021bde72f42b2df851ad6c147a4
                                                                                                                          • Instruction ID: 4e0f85926c9b05f3a24ef3a1024cb484d863553ef239e602aee2c7aa7ab8393f
                                                                                                                          • Opcode Fuzzy Hash: 412389929f330264ede806b1ae79f29b170f2021bde72f42b2df851ad6c147a4
                                                                                                                          • Instruction Fuzzy Hash: 7E41B032D0052AFBDB209F94CC41AEFBBF9EF04351F1081A9EE01AB251D7358E558BA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000466D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WideCharToMultiByte.KERNEL32(0005B518,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 000467A3
                                                                                                                          • GetLastError.KERNEL32 ref: 000467BF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ByteCharErrorLastMultiWide
                                                                                                                          • String ID: comres.dll
                                                                                                                          • API String ID: 203985260-246242247
                                                                                                                          • Opcode ID: 44a20cc1fe8481596288097ff86f6b09be42e451f0a184bde6de4ebfcf9542a0
                                                                                                                          • Instruction ID: 38bd76ef29925db25563f856d71461c5389bd8c4ed22f50bfad20288156559db
                                                                                                                          • Opcode Fuzzy Hash: 44a20cc1fe8481596288097ff86f6b09be42e451f0a184bde6de4ebfcf9542a0
                                                                                                                          • Instruction Fuzzy Hash: 903128B0604211ABCB21AF55C885AEF7BE89F53768F144075F8154B192FB32CD00C7AB
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00058F7A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00058E44: lstrlenW.KERNEL32(00000100,?,?,?,00059217,000002C0,00000100,00000100,00000100,?,?,?,00037D87,?,?,000001BC), ref: 00058E69
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0005B500,wininet.dll,?), ref: 0005907A
                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0005B500,wininet.dll,?), ref: 00059087
                                                                                                                            • Part of subcall function 00050F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0007AAA0,00000000,?,000557E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00050F80
                                                                                                                            • Part of subcall function 00050E4F: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00038E1B), ref: 00050EAA
                                                                                                                            • Part of subcall function 00050E4F: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00038E1B,00000000), ref: 00050EC8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$EnumInfoOpenQuerylstrlen
                                                                                                                          • String ID: wininet.dll
                                                                                                                          • API String ID: 2680864210-3354682871
                                                                                                                          • Opcode ID: 24f674a40e9558586a1f6a71d4e6dba754af902dd848b1bc5331dae891842db5
                                                                                                                          • Instruction ID: 01d19492ffc17ae837e7769e9294cd1d34f5f61aa1ae9bf026f0530f8e330781
                                                                                                                          • Opcode Fuzzy Hash: 24f674a40e9558586a1f6a71d4e6dba754af902dd848b1bc5331dae891842db5
                                                                                                                          • Instruction Fuzzy Hash: EA310732C01129EFCF21AFA4CD418AFBBB9EF04712B525979EE0077162D7324E589B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0005939E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00058E44: lstrlenW.KERNEL32(00000100,?,?,?,00059217,000002C0,00000100,00000100,00000100,?,?,?,00037D87,?,?,000001BC), ref: 00058E69
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00059483
                                                                                                                          • RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0005949D
                                                                                                                            • Part of subcall function 00050BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,0002061A,?,00000000,00020006), ref: 00050C0E
                                                                                                                            • Part of subcall function 000514F4: RegSetValueExW.ADVAPI32(00020006,00060D10,00000000,00000001,77FF0000,00000000,77FF0000,000000FF,00000000,00000000,?,?,0001F335,00000000,F685F08B,00020006), ref: 00051527
                                                                                                                            • Part of subcall function 000514F4: RegDeleteValueW.ADVAPI32(00020006,00060D10,00000000,?,?,0001F335,00000000,F685F08B,00020006,77FF0000,00060D10,00020006,00000000,?,?,?), ref: 00051557
                                                                                                                            • Part of subcall function 000514A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,0001F28D,00060D10,Resume,00000005,?,00000000,00000000,00000000), ref: 000514BB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Value$Close$CreateDeletelstrlen
                                                                                                                          • String ID: %ls\%ls
                                                                                                                          • API String ID: 3924016894-2125769799
                                                                                                                          • Opcode ID: 9c708a7b7b13e50a3028f4dc61e9871088a0bbb5d1de3f177770b4e33e6ff0cb
                                                                                                                          • Instruction ID: b2446f05b0d218fbbc64c9168f92171f5befbaa781fb3568acb4d4707bf667e9
                                                                                                                          • Opcode Fuzzy Hash: 9c708a7b7b13e50a3028f4dc61e9871088a0bbb5d1de3f177770b4e33e6ff0cb
                                                                                                                          • Instruction Fuzzy Hash: 3431F572C0116DFB9F129FD4CC418DFBBB9EB04311B4141A6AE0476221D7368E56EF90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00013A4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _memcpy_s
                                                                                                                          • String ID: crypt32.dll$wininet.dll
                                                                                                                          • API String ID: 2001391462-82500532
                                                                                                                          • Opcode ID: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
                                                                                                                          • Instruction ID: e182187d4cf4625a0f57c776b3f62929432e1fd62949b304ee7992a7ee85726b
                                                                                                                          • Opcode Fuzzy Hash: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
                                                                                                                          • Instruction Fuzzy Hash: A5115E71600219ABCF08DF19CDC59EFBF69EF94290B14802AFD058B311D671EA50CAE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000514F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegSetValueExW.ADVAPI32(00020006,00060D10,00000000,00000001,77FF0000,00000000,77FF0000,000000FF,00000000,00000000,?,?,0001F335,00000000,F685F08B,00020006), ref: 00051527
                                                                                                                          • RegDeleteValueW.ADVAPI32(00020006,00060D10,00000000,?,?,0001F335,00000000,F685F08B,00020006,77FF0000,00060D10,00020006,00000000,?,?,?), ref: 00051557
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Value$Delete
                                                                                                                          • String ID: regutil.cpp
                                                                                                                          • API String ID: 1738766685-955085611
                                                                                                                          • Opcode ID: 7850085e79c71e1060ad72f2a6045048fc871b864b5addd006e683a94f80cc80
                                                                                                                          • Instruction ID: b0ab553dbf98680ea042101eda33068dde5b1ee771fc7056fc355e8a6e8a144c
                                                                                                                          • Opcode Fuzzy Hash: 7850085e79c71e1060ad72f2a6045048fc871b864b5addd006e683a94f80cc80
                                                                                                                          • Instruction Fuzzy Hash: 0E11E736D11936F7DB314A944C05BEF7654EB447A2F110121BE02AE190F735CD2496E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001DDB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,00037691,00000000,IGNOREDEPENDENCIES,00000000,?,0005B518), ref: 0001DE04
                                                                                                                          Strings
                                                                                                                          • Failed to copy the property value., xrefs: 0001DE38
                                                                                                                          • IGNOREDEPENDENCIES, xrefs: 0001DDBB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareString
                                                                                                                          • String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
                                                                                                                          • API String ID: 1825529933-1412343224
                                                                                                                          • Opcode ID: b0163a964ef8b844f4d09ed844a912219d82d77a126fcea86d92278c1270c90a
                                                                                                                          • Instruction ID: 477a45a0d2da723f4a2781532fe29467f19a344773bd304d378b31a267537582
                                                                                                                          • Opcode Fuzzy Hash: b0163a964ef8b844f4d09ed844a912219d82d77a126fcea86d92278c1270c90a
                                                                                                                          • Instruction Fuzzy Hash: 6111C232200215AFDF61AF54DC84FEAB7E6AF54321F25417AFA19EF291C770A890C780
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0005563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,00028E97,?,00000001,20000004,00000000,00000000,?,00000000), ref: 0005566E
                                                                                                                          • SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00028E97,?), ref: 00055689
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoNamedSecuritySleep
                                                                                                                          • String ID: aclutil.cpp
                                                                                                                          • API String ID: 2352087905-2159165307
                                                                                                                          • Opcode ID: 9320a4d0b3017aff0f225d82cb96851d175e8f57a5f740f1be1229f0854b8c6f
                                                                                                                          • Instruction ID: 34aa4331bd067330a856a4d2356def2d8f6b2d905f96012e44f31aac0d1c5ce9
                                                                                                                          • Opcode Fuzzy Hash: 9320a4d0b3017aff0f225d82cb96851d175e8f57a5f740f1be1229f0854b8c6f
                                                                                                                          • Instruction Fuzzy Hash: 3C017C33801668BBCF229E88CD15ACF7B65EB44762F020115BE04A7120C6329D20DAD0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0001158C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LCMapStringW.KERNEL32(0000007F,00000000,00000000,000270E8,00000000,000270E8,00000000,00000000,000270E8,00000000,00000000,00000000,?,00012318,00000000,00000000), ref: 000115D0
                                                                                                                          • GetLastError.KERNEL32(?,00012318,00000000,00000000,000270E8,00000200,?,000552B2,00000000,000270E8,00000000,000270E8,00000000,00000000,00000000), ref: 000115DA
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastString
                                                                                                                          • String ID: strutil.cpp
                                                                                                                          • API String ID: 3728238275-3612885251
                                                                                                                          • Opcode ID: 796324ee79c98f6dd87c0b2973dd3a890436362e19ef14b45895bb9a6f6035a6
                                                                                                                          • Instruction ID: edafe2ae2bd44da17086a17005a2d1299cd50b78b1560d6cd81a1a1e94a22733
                                                                                                                          • Opcode Fuzzy Hash: 796324ee79c98f6dd87c0b2973dd3a890436362e19ef14b45895bb9a6f6035a6
                                                                                                                          • Instruction Fuzzy Hash: 0501D433941636B78B218E998C44EDB7BADEF85B71B050224FF10AF251D721EC5087E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000257BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000), ref: 000257D9
                                                                                                                          • CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 00025833
                                                                                                                          Strings
                                                                                                                          • Failed to initialize COM on cache thread., xrefs: 000257E5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InitializeUninitialize
                                                                                                                          • String ID: Failed to initialize COM on cache thread.
                                                                                                                          • API String ID: 3442037557-3629645316
                                                                                                                          • Opcode ID: 5dcc77c845cf5c9e33c58551db3872b31b00a90cd1c0e5b43bca80094b633a2c
                                                                                                                          • Instruction ID: 514c4d92411f2ff5579476ec578fa7a60c39e5d46bd9f557929afde0351368e5
                                                                                                                          • Opcode Fuzzy Hash: 5dcc77c845cf5c9e33c58551db3872b31b00a90cd1c0e5b43bca80094b633a2c
                                                                                                                          • Instruction Fuzzy Hash: A0016D72600619BFC7059FA4EC84DDAFBADFF08355F008166FA09D7121DB31AD548B94
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00053BF1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00050F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0007AAA0,00000000,?,000557E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00050F80
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00053A8E,?), ref: 00053C62
                                                                                                                          Strings
                                                                                                                          • EnableLUA, xrefs: 00053C34
                                                                                                                          • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00053C0C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseOpen
                                                                                                                          • String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                                                                                                          • API String ID: 47109696-3551287084
                                                                                                                          • Opcode ID: cb67fd63151756b2816ff4e1f25b05a753b2595513155fa53fe4b8238177aa1b
                                                                                                                          • Instruction ID: c5dd9883aa3fd0577d1d1e4332f07cf0e55c0d598f3eeeeec1fb83493ac4c931
                                                                                                                          • Opcode Fuzzy Hash: cb67fd63151756b2816ff4e1f25b05a753b2595513155fa53fe4b8238177aa1b
                                                                                                                          • Instruction Fuzzy Hash: DA018436D10229FBD7219AA4C80ABEFFAA8DB04762F2041A5AD01B7051D3766F54DBD4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00015123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00011104,?,?,00000000), ref: 00015142
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00011104,?,?,00000000), ref: 00015172
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareStringlstrlen
                                                                                                                          • String ID: burn.clean.room
                                                                                                                          • API String ID: 1433953587-3055529264
                                                                                                                          • Opcode ID: 314b10658e1cc06a6152501ab81ecbd4ec9fb3ec5ffaa08a39d9c29b4379d9d2
                                                                                                                          • Instruction ID: b86ef8d4ea47ff3f96e437fb7b149abd3eaa17836c212028d75de2af193e3bdc
                                                                                                                          • Opcode Fuzzy Hash: 314b10658e1cc06a6152501ab81ecbd4ec9fb3ec5ffaa08a39d9c29b4379d9d2
                                                                                                                          • Instruction Fuzzy Hash: 79018B72A00624BF97714B489D84EB7B7ECE7997627104115F909D7610D3B89CD1C792
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00056920 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00056985
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeString
                                                                                                                          • String ID: `<u$atomutil.cpp
                                                                                                                          • API String ID: 3341692771-4051019476
                                                                                                                          • Opcode ID: 2bd2741e2291894064946079b5f6496799c37cbb8a0d1578215d5f65d76f305d
                                                                                                                          • Instruction ID: aed0e311c15183eb9a6ac30770833f89b7a4c02bd0ecdda7fe96b05fba6262b9
                                                                                                                          • Opcode Fuzzy Hash: 2bd2741e2291894064946079b5f6496799c37cbb8a0d1578215d5f65d76f305d
                                                                                                                          • Instruction Fuzzy Hash: 4A01D132810214FBCB219A949C01BEFF6BCEB46B63F644155BD04671518B775E48E7E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00016522 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00016534
                                                                                                                            • Part of subcall function 00050ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00015EB2,00000000), ref: 00050AE0
                                                                                                                            • Part of subcall function 00050ACC: GetProcAddress.KERNEL32(00000000), ref: 00050AE7
                                                                                                                            • Part of subcall function 00050ACC: GetLastError.KERNEL32(?,?,?,00015EB2,00000000), ref: 00050AFE
                                                                                                                            • Part of subcall function 00015CE2: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00015D68
                                                                                                                          Strings
                                                                                                                          • Failed to set variant value., xrefs: 00016571
                                                                                                                          • Failed to get 64-bit folder., xrefs: 00016557
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
                                                                                                                          • String ID: Failed to get 64-bit folder.$Failed to set variant value.
                                                                                                                          • API String ID: 3109562764-2681622189
                                                                                                                          • Opcode ID: 1fbf9c35042066175fb1de64b2e171071a9d181f0a384b096d2ed03439d19947
                                                                                                                          • Instruction ID: e09e4472e5cca1c4f8f31071ef7f224d97468cef8d262b2c221c591ace906831
                                                                                                                          • Opcode Fuzzy Hash: 1fbf9c35042066175fb1de64b2e171071a9d181f0a384b096d2ed03439d19947
                                                                                                                          • Instruction Fuzzy Hash: 52016232D01A28BBDB21AB90CD06ADE7B79EF00722F504156FD0067155D7329F94D6D1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 000133C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000110DD,?,00000000), ref: 000133E8
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,000110DD,?,00000000), ref: 000133FF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastModuleName
                                                                                                                          • String ID: pathutil.cpp
                                                                                                                          • API String ID: 2776309574-741606033
                                                                                                                          • Opcode ID: fb305116a1a785d63fc1b731fb95de7dbc115e4ad6007dfce28ad2678819ec14
                                                                                                                          • Instruction ID: 480b6969db990bb8dece868e99968997807ee704c35bd31080a57ae74e903037
                                                                                                                          • Opcode Fuzzy Hash: fb305116a1a785d63fc1b731fb95de7dbc115e4ad6007dfce28ad2678819ec14
                                                                                                                          • Instruction Fuzzy Hash: 66F04673A0063067C73256966C04ECBFA9CEB41B70B020121FE40BF140DB20FE8082E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0003E30F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0003EBD2
                                                                                                                            • Part of subcall function 00041380: RaiseException.KERNEL32(?,?,?,0003EBF4,?,00000000,00000000,?,?,?,?,?,0003EBF4,?,00077EC8), ref: 000413DF
                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0003EBEF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                          • String ID: Unknown exception
                                                                                                                          • API String ID: 3476068407-410509341
                                                                                                                          • Opcode ID: ed63991a2762d039887f6cae0a44a1912911add6359f58c6c656098217a342aa
                                                                                                                          • Instruction ID: d94317f9efadaa0783f1ad95672d236d12b6d2c543f134b16eb4a81d9823453b
                                                                                                                          • Opcode Fuzzy Hash: ed63991a2762d039887f6cae0a44a1912911add6359f58c6c656098217a342aa
                                                                                                                          • Instruction Fuzzy Hash: B9F0C27890020DBBCB12BFA4DC4AEDEB7AC9B00350F508770F919964D2EB30EE5586D4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00054A05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFileSizeEx.KERNEL32(00000000,00000000,00000000,74DF34C0,?,?,?,0001BA1D,?,?,?,00000000,00000000), ref: 00054A1D
                                                                                                                          • GetLastError.KERNEL32(?,?,?,0001BA1D,?,?,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00054A27
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastSize
                                                                                                                          • String ID: fileutil.cpp
                                                                                                                          • API String ID: 464720113-2967768451
                                                                                                                          • Opcode ID: 5fe639c565b2548f2cfdc5125cb2252904115bf8717a157c059eb644955a77cd
                                                                                                                          • Instruction ID: 82e939a5fea135e44b113c66bc0c68cbd18c6203c41065130a995548d617eaa4
                                                                                                                          • Opcode Fuzzy Hash: 5fe639c565b2548f2cfdc5125cb2252904115bf8717a157c059eb644955a77cd
                                                                                                                          • Instruction Fuzzy Hash: FDF0AF76A4023AAB97608F8989059ABFBACFF04B21F01411AFD44A7300E771AD40CBE5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00053D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,00015466,?,00000000,00015466,?,?,?), ref: 00053DA7
                                                                                                                          • CoCreateInstance.OLE32(00000000,00000000,00000001,0007716C,?), ref: 00053DBF
                                                                                                                          Strings
                                                                                                                          • Microsoft.Update.AutoUpdate, xrefs: 00053DA2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateFromInstanceProg
                                                                                                                          • String ID: Microsoft.Update.AutoUpdate
                                                                                                                          • API String ID: 2151042543-675569418
                                                                                                                          • Opcode ID: 60a20af637938d7d74e1b94be8edde5feb71f3070c0cd3721eab4083b73f7913
                                                                                                                          • Instruction ID: 2a78755f61d743219a59bc053c163a97fc5f179d6ee6df379fd1a4047f53f509
                                                                                                                          • Opcode Fuzzy Hash: 60a20af637938d7d74e1b94be8edde5feb71f3070c0cd3721eab4083b73f7913
                                                                                                                          • Instruction Fuzzy Hash: DFF03071A00208BBE700DFA8DD05AEFB7BCDB49751F404165EA05F7150DA75AE0486A6
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0004FDBD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FreeLibrary.KERNEL32(75A70000,00000001,0001558A,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0004FDCA
                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000001,0001558A,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0004FDEC
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeLibrary
                                                                                                                          • String ID: `+9s
                                                                                                                          • API String ID: 3664257935-3924962338
                                                                                                                          • Opcode ID: 4ec7a54109bcc0db30f86f4419ef80e3fdf0e815feb24963eb12e74676e26897
                                                                                                                          • Instruction ID: 3a238dac939c04606c74848dc75f05556f2a7d8fd54dff7025f0136a17cc4c58
                                                                                                                          • Opcode Fuzzy Hash: 4ec7a54109bcc0db30f86f4419ef80e3fdf0e815feb24963eb12e74676e26897
                                                                                                                          • Instruction Fuzzy Hash: 06E0E2B5E00A419FA740CF6BBC88B16FAE8BB95751354422BA408E6234DBBCD5818F54
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00050E07 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00050E28
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2880222276.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.2879823753.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2880742903.000000000005B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881168914.000000000007A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.2881468874.000000000007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_10000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc
                                                                                                                          • String ID: AdvApi32.dll$RegDeleteKeyExW
                                                                                                                          • API String ID: 190572456-850864035
                                                                                                                          • Opcode ID: 31757fc2129e7197eb5f1702fe6157fbeb9519e072c2e0c56f38cd41aa402b9e
                                                                                                                          • Instruction ID: c46005ffa47598be9e0d2d09ea8533b5bfd59c6f584ab61844e39949699cc649
                                                                                                                          • Opcode Fuzzy Hash: 31757fc2129e7197eb5f1702fe6157fbeb9519e072c2e0c56f38cd41aa402b9e
                                                                                                                          • Instruction Fuzzy Hash: 19E0EC70D017219AEB215B14BC16B467FE0AB10759F008524EB0DBA170D7BE5894CB94
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Executed Functions

                                                                                                                          Function 00941070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 009433C7: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000000,00000104,?,00000000,00000000,?,0096AF82,00000001,00000000,?,WixBundleSourceProcessPath,00000001,?), ref: 009433E8
                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 009410F6
                                                                                                                            • Part of subcall function 00941175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0094111A,cabinet.dll,00000009,?,?,00000000), ref: 00941186
                                                                                                                            • Part of subcall function 00941175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0094111A,cabinet.dll,00000009,?,?,00000000), ref: 00941191
                                                                                                                            • Part of subcall function 00941175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0094119F
                                                                                                                            • Part of subcall function 00941175: GetLastError.KERNEL32(?,?,?,?,?,0094111A,cabinet.dll,00000009,?,?,00000000), ref: 009411BA
                                                                                                                            • Part of subcall function 00941175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 009411C2
                                                                                                                            • Part of subcall function 00941175: GetLastError.KERNEL32(?,?,?,?,?,0094111A,cabinet.dll,00000009,?,?,00000000), ref: 009411D7
                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0098B4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00941131
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
                                                                                                                          • String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
                                                                                                                          • API String ID: 3687706282-3151496603
                                                                                                                          • Opcode ID: 8612858cabc69e285a9226bc4118739adb4fb4267f0a2c7ee26725df05180468
                                                                                                                          • Instruction ID: 95422eb677dcf41581c5ba9f061361c5d7438e35ae2b90b767d841b33edcddd1
                                                                                                                          • Opcode Fuzzy Hash: 8612858cabc69e285a9226bc4118739adb4fb4267f0a2c7ee26725df05180468
                                                                                                                          • Instruction Fuzzy Hash: 39216D7190421CABDB20AFB4CC46FEEBBB8AB49714F544119FA11B73A2D7709944CBA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00986357 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130filenetworkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0098490D: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,00000000,?,00986376,?,?,?,00000000,00000000,00000001), ref: 00984925
                                                                                                                            • Part of subcall function 0098490D: GetLastError.KERNEL32(?,00986376,?,?,?,00000000,00000000,00000001,00000000,00000000,00000000,?,00985C09,?,?,?), ref: 0098492F
                                                                                                                          • InternetReadFile.WININET(00000000,?,00000001,00000000), ref: 0098638E
                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00985C09,?,?,?,?,00000000,?,?,00010000,?), ref: 009863C0
                                                                                                                          • WriteFile.KERNEL32(000000FF,00000008,00000008,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00985C09,?,?,?,?), ref: 00986412
                                                                                                                          • GetLastError.KERNEL32(?,00985C09,?,?,?,?,00000000,?,?,00010000,?,00000001,?,GET,?,?), ref: 00986458
                                                                                                                          • GetLastError.KERNEL32(?,00985C09,?,?,?,?,00000000,?,?,00010000,?,00000001,?,GET,?,?), ref: 0098647E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$ErrorLast$Write$InternetPointerRead
                                                                                                                          • String ID: dlutil.cpp
                                                                                                                          • API String ID: 755641697-2067379296
                                                                                                                          • Opcode ID: caa7f335ce16da68a2db97b6e485a8ad2bf24d369d90dd822b4aa5c9330bd3b2
                                                                                                                          • Instruction ID: 92cb13cc78eab79100588a40b033f6e2c0f828d38886f5996a7175fc9b921260
                                                                                                                          • Opcode Fuzzy Hash: caa7f335ce16da68a2db97b6e485a8ad2bf24d369d90dd822b4aa5c9330bd3b2
                                                                                                                          • Instruction Fuzzy Hash: 0B41807290021ABFDB21AEA4CD45FAE7B6DEF04761F154125FD00AA2A0D775DD20DBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0095A0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          • Failed to calculate working folder to ensure it exists., xrefs: 0095A0D8
                                                                                                                          • Failed create working folder., xrefs: 0095A0EE
                                                                                                                          • Failed to copy working folder., xrefs: 0095A116
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentDirectoryErrorLastProcessWindows
                                                                                                                          • String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
                                                                                                                          • API String ID: 3841436932-2072961686
                                                                                                                          • Opcode ID: 07e84e355bc550a4276d0254b0cddcc19fdf89cb49b85a991efea3517ecda5e1
                                                                                                                          • Instruction ID: f98863f7a95b14b08a0a30d95329fe315a71a2857ed61fde0ce8625ee7ee3737
                                                                                                                          • Opcode Fuzzy Hash: 07e84e355bc550a4276d0254b0cddcc19fdf89cb49b85a991efea3517ecda5e1
                                                                                                                          • Instruction Fuzzy Hash: 7101D432909928FB8F22AB5ADD06DAEBA79DFD5761B104355FC00B6210DB319E04E785
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00984440 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindFirstFileW.KERNEL32(?,?,?,00000000,?), ref: 0098447B
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00984487
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2295610775-0
                                                                                                                          • Opcode ID: c52daef4f4e289eaa4d9d88d9bf18772d4bdb5cb2932d19cad9e0efa40e82a2e
                                                                                                                          • Instruction ID: 70d262b869cdcdffece79a8ece93875cdafd0b2abf5f197465ae55758a9c8204
                                                                                                                          • Opcode Fuzzy Hash: c52daef4f4e289eaa4d9d88d9bf18772d4bdb5cb2932d19cad9e0efa40e82a2e
                                                                                                                          • Instruction Fuzzy Hash: D601D6316002096BCB10EF65ED89EAAB7ACEFC5315F400065F914C7251D7345D498754
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0094F9E3 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 0 94f9e3-94fa14 call 9839af 3 94fa16 0->3 4 94fa18-94fa1a 0->4 3->4 5 94fa1c-94fa29 call 980237 4->5 6 94fa2e-94fa47 call 9832f3 4->6 13 94ff16-94ff1b 5->13 11 94fa53-94fa68 call 9832f3 6->11 12 94fa49-94fa4e 6->12 24 94fa74-94fa81 call 94ea42 11->24 25 94fa6a-94fa6f 11->25 14 94ff0d-94ff14 call 980237 12->14 16 94ff23-94ff28 13->16 17 94ff1d-94ff1f 13->17 30 94ff15 14->30 20 94ff30-94ff35 16->20 21 94ff2a-94ff2c 16->21 17->16 22 94ff37-94ff39 20->22 23 94ff3d-94ff41 20->23 21->20 22->23 27 94ff43-94ff46 call 985636 23->27 28 94ff4b-94ff52 23->28 33 94fa83-94fa88 24->33 34 94fa8d-94faa2 call 9832f3 24->34 25->14 27->28 30->13 33->14 37 94faa4-94faa9 34->37 38 94faae-94fac0 call 984c97 34->38 37->14 41 94fac2-94faca 38->41 42 94facf-94fae4 call 9832f3 38->42 43 94fd99-94fda2 call 980237 41->43 47 94fae6-94faeb 42->47 48 94faf0-94fb05 call 9832f3 42->48 43->30 47->14 52 94fb07-94fb0c 48->52 53 94fb11-94fb23 call 983505 48->53 52->14 56 94fb25-94fb2a 53->56 57 94fb2f-94fb45 call 9839af 53->57 56->14 60 94fdf4-94fe0e call 94ecbe 57->60 61 94fb4b-94fb4d 57->61 68 94fe10-94fe15 60->68 69 94fe1a-94fe32 call 9839af 60->69 62 94fb4f-94fb54 61->62 63 94fb59-94fb6e call 983505 61->63 62->14 70 94fb70-94fb75 63->70 71 94fb7a-94fb8f call 9832f3 63->71 68->14 76 94fefc-94fefd call 94f0f8 69->76 77 94fe38-94fe3a 69->77 70->14 79 94fb91-94fb93 71->79 80 94fb9f-94fbb4 call 9832f3 71->80 83 94ff02-94ff06 76->83 81 94fe46-94fe64 call 9832f3 77->81 82 94fe3c-94fe41 77->82 79->80 84 94fb95-94fb9a 79->84 90 94fbc4-94fbd9 call 9832f3 80->90 91 94fbb6-94fbb8 80->91 92 94fe66-94fe6b 81->92 93 94fe70-94fe88 call 9832f3 81->93 82->14 83->30 87 94ff08 83->87 84->14 87->14 101 94fbe9-94fbfe call 9832f3 90->101 102 94fbdb-94fbdd 90->102 91->90 94 94fbba-94fbbf 91->94 92->14 99 94fe95-94fead call 9832f3 93->99 100 94fe8a-94fe8c 93->100 94->14 109 94feaf-94feb1 99->109 110 94feba-94fed2 call 9832f3 99->110 100->99 103 94fe8e-94fe93 100->103 111 94fc00-94fc02 101->111 112 94fc0e-94fc23 call 9832f3 101->112 102->101 104 94fbdf-94fbe4 102->104 103->14 104->14 109->110 113 94feb3-94feb8 109->113 119 94fed4-94fed9 110->119 120 94fedb-94fef3 call 9832f3 110->120 111->112 114 94fc04-94fc09 111->114 121 94fc25-94fc27 112->121 122 94fc33-94fc48 call 9832f3 112->122 113->14 114->14 119->14 120->76 128 94fef5-94fefa 120->128 121->122 125 94fc29-94fc2e 121->125 129 94fc58-94fc6d call 9832f3 122->129 130 94fc4a-94fc4c 122->130 125->14 128->14 134 94fc7d-94fc92 call 9832f3 129->134 135 94fc6f-94fc71 129->135 130->129 131 94fc4e-94fc53 130->131 131->14 139 94fc94-94fc96 134->139 140 94fca2-94fcba call 9832f3 134->140 135->134 136 94fc73-94fc78 135->136 136->14 139->140 142 94fc98-94fc9d 139->142 144 94fcbc-94fcbe 140->144 145 94fcca-94fce2 call 9832f3 140->145 142->14 144->145 146 94fcc0-94fcc5 144->146 149 94fce4-94fce6 145->149 150 94fcf2-94fd07 call 9832f3 145->150 146->14 149->150 151 94fce8-94fced 149->151 154 94fda7-94fda9 150->154 155 94fd0d-94fd2a CompareStringW 150->155 151->14 156 94fdb4-94fdb6 154->156 157 94fdab-94fdb2 154->157 158 94fd34-94fd49 CompareStringW 155->158 159 94fd2c-94fd32 155->159 160 94fdc2-94fdda call 983505 156->160 161 94fdb8-94fdbd 156->161 157->156 163 94fd57-94fd6c CompareStringW 158->163 164 94fd4b-94fd55 158->164 162 94fd75-94fd7a 159->162 160->60 170 94fddc-94fdde 160->170 161->14 162->156 165 94fd7c-94fd94 call 943821 163->165 166 94fd6e 163->166 164->162 165->43 166->162 172 94fde0-94fde5 170->172 173 94fdea 170->173 172->14 173->60
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: StringVariant$AllocClearFreeInit
                                                                                                                          • String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
                                                                                                                          • API String ID: 760788290-2956246334
                                                                                                                          • Opcode ID: da2002d05a6490e09175d7ce790b41b4c407a3ad63f3719ab55d5f16014399af
                                                                                                                          • Instruction ID: d2f7145b5fad6510422fa23a365da3dd3587b8e85eba557a8ccc62b146cb2d64
                                                                                                                          • Opcode Fuzzy Hash: da2002d05a6490e09175d7ce790b41b4c407a3ad63f3719ab55d5f16014399af
                                                                                                                          • Instruction Fuzzy Hash: 8AE1E733E4426BBBCF21A6A8CC52FAEB6A4BB45B18F114271F921F7290D7619D1497C0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0094B48B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578fileCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 174 94b48b-94b500 call 96f8e0 * 2 179 94b502-94b50c GetLastError 174->179 180 94b538-94b53e 174->180 181 94b50e-94b517 179->181 182 94b519 179->182 183 94b540 180->183 184 94b542-94b554 SetFilePointerEx 180->184 181->182 185 94b520-94b52d call 943821 182->185 186 94b51b 182->186 183->184 187 94b556-94b560 GetLastError 184->187 188 94b588-94b5a2 ReadFile 184->188 204 94b532-94b533 185->204 186->185 192 94b562-94b56b 187->192 193 94b56d 187->193 189 94b5a4-94b5ae GetLastError 188->189 190 94b5d9-94b5e0 188->190 194 94b5b0-94b5b9 189->194 195 94b5bb 189->195 197 94b5e6-94b5ef 190->197 198 94bbd7-94bbeb call 943821 190->198 192->193 199 94b574-94b586 call 943821 193->199 200 94b56f 193->200 194->195 202 94b5c2-94b5d4 call 943821 195->202 203 94b5bd 195->203 197->198 206 94b5f5-94b605 SetFilePointerEx 197->206 216 94bbf0 198->216 199->204 200->199 202->204 203->202 209 94bbf1-94bbf7 call 980237 204->209 211 94b607-94b611 GetLastError 206->211 212 94b63c-94b654 ReadFile 206->212 227 94bbf8-94bc0a call 96e06f 209->227 218 94b613-94b61c 211->218 219 94b61e 211->219 213 94b656-94b660 GetLastError 212->213 214 94b68b-94b692 212->214 224 94b662-94b66b 213->224 225 94b66d 213->225 220 94bbbc-94bbd5 call 943821 214->220 221 94b698-94b6a2 214->221 216->209 218->219 222 94b625-94b632 call 943821 219->222 223 94b620 219->223 220->216 221->220 228 94b6a8-94b6cb SetFilePointerEx 221->228 222->212 223->222 224->225 231 94b674-94b681 call 943821 225->231 232 94b66f 225->232 234 94b702-94b71a ReadFile 228->234 235 94b6cd-94b6d7 GetLastError 228->235 231->214 232->231 242 94b751-94b769 ReadFile 234->242 243 94b71c-94b726 GetLastError 234->243 240 94b6e4 235->240 241 94b6d9-94b6e2 235->241 247 94b6e6 240->247 248 94b6eb-94b6f8 call 943821 240->248 241->240 245 94b7a0-94b7bb SetFilePointerEx 242->245 246 94b76b-94b775 GetLastError 242->246 249 94b733 243->249 250 94b728-94b731 243->250 254 94b7f5-94b814 ReadFile 245->254 255 94b7bd-94b7c7 GetLastError 245->255 251 94b777-94b780 246->251 252 94b782 246->252 247->248 248->234 256 94b735 249->256 257 94b73a-94b747 call 943821 249->257 250->249 251->252 261 94b784 252->261 262 94b789-94b796 call 943821 252->262 259 94bb7d-94bb87 GetLastError 254->259 260 94b81a-94b81c 254->260 264 94b7d4 255->264 265 94b7c9-94b7d2 255->265 256->257 257->242 271 94bb94 259->271 272 94bb89-94bb92 259->272 269 94b81d-94b824 260->269 261->262 262->245 266 94b7d6 264->266 267 94b7db-94b7eb call 943821 264->267 265->264 266->267 267->254 274 94bb58-94bb75 call 943821 269->274 275 94b82a-94b836 269->275 277 94bb96 271->277 278 94bb9b-94bbb1 call 943821 271->278 272->271 290 94bb7a-94bb7b 274->290 282 94b841-94b84a 275->282 283 94b838-94b83f 275->283 277->278 289 94bbb2-94bbba call 980237 278->289 287 94b850-94b876 ReadFile 282->287 288 94bb1b-94bb32 call 943821 282->288 283->282 286 94b884-94b88b 283->286 292 94b8b4-94b8cb call 94394f 286->292 293 94b88d-94b8af call 943821 286->293 287->259 291 94b87c-94b882 287->291 300 94bb37-94bb3d call 980237 288->300 289->227 290->289 291->269 304 94b8cd-94b8ea call 943821 292->304 305 94b8ef-94b904 SetFilePointerEx 292->305 293->290 310 94bb43-94bb44 300->310 304->209 308 94b944-94b969 ReadFile 305->308 309 94b906-94b910 GetLastError 305->309 311 94b9a0-94b9ac 308->311 312 94b96b-94b975 GetLastError 308->312 314 94b912-94b91b 309->314 315 94b91d 309->315 316 94bb45-94bb47 310->316 319 94b9ae-94b9ca call 943821 311->319 320 94b9cf-94b9d3 311->320 317 94b977-94b980 312->317 318 94b982 312->318 314->315 321 94b924-94b934 call 943821 315->321 322 94b91f 315->322 316->227 323 94bb4d-94bb53 call 943a16 316->323 317->318 324 94b984 318->324 325 94b989-94b99e call 943821 318->325 319->300 328 94b9d5-94ba09 call 943821 call 980237 320->328 329 94ba0e-94ba21 call 984a05 320->329 340 94b939-94b93f call 980237 321->340 322->321 323->227 324->325 325->340 328->316 343 94ba23-94ba28 329->343 344 94ba2d-94ba37 329->344 340->310 343->340 347 94ba41-94ba49 344->347 348 94ba39-94ba3f 344->348 350 94ba55-94ba58 347->350 351 94ba4b-94ba53 347->351 349 94ba5a-94baba call 94394f 348->349 354 94babc-94bad8 call 943821 349->354 355 94bade-94baff call 96f360 call 94b208 349->355 350->349 351->349 354->355 355->316 362 94bb01-94bb11 call 943821 355->362 362->288
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0094B502
                                                                                                                          • SetFilePointerEx.KERNEL32(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B550
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0094B556
                                                                                                                          • ReadFile.KERNEL32(00000000,00944461,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B59E
                                                                                                                          • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0094B5A4
                                                                                                                          • SetFilePointerEx.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B601
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B607
                                                                                                                          • ReadFile.KERNEL32(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B650
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B656
                                                                                                                          • SetFilePointerEx.KERNEL32(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B6C7
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B6CD
                                                                                                                          • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B716
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B71C
                                                                                                                          • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B765
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B76B
                                                                                                                          • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B7B7
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B7BD
                                                                                                                            • Part of subcall function 0094394F: GetProcessHeap.KERNEL32(?,?,?,00942274,?,00000001,75C0B390,8000FFFF,?,?,00980267,?,?,00000000,00000000,8000FFFF), ref: 00943960
                                                                                                                            • Part of subcall function 0094394F: RtlAllocateHeap.NTDLL(00000000,?,00942274,?,00000001,75C0B390,8000FFFF,?,?,00980267,?,?,00000000,00000000,8000FFFF), ref: 00943967
                                                                                                                          • ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B810
                                                                                                                          • ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B872
                                                                                                                          • SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B8FC
                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0094B906
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
                                                                                                                          • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
                                                                                                                          • API String ID: 3411815225-695169583
                                                                                                                          • Opcode ID: e8b5d2248a0c24ea1c9e88a94814afd99f97c4ed26e2645412802b93a8bd95f3
                                                                                                                          • Instruction ID: 077a1135bc1e2b7a26b938c3f1a8c2f5bc019522e7524b940aae54dcebb1b5ad
                                                                                                                          • Opcode Fuzzy Hash: e8b5d2248a0c24ea1c9e88a94814afd99f97c4ed26e2645412802b93a8bd95f3
                                                                                                                          • Instruction Fuzzy Hash: F812C576A40235ABDB309B658C45FAAB6A8EF84714F1541A5FE04FB381E774DD40CBE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009554DC Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 229filepipesleepCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1199 9554dc-95551f lstrlenW GetCurrentProcessId 1200 955522-955529 1199->1200 1201 9557b2-9557ba 1200->1201 1202 95552f-955547 SetNamedPipeHandleState 1200->1202 1203 95554d 1202->1203 1204 95577b-955781 GetLastError 1202->1204 1207 955551-95555c ConnectNamedPipe 1203->1207 1205 955783-95578c 1204->1205 1206 95578e 1204->1206 1205->1206 1208 955795-9557a5 call 943821 1206->1208 1209 955790 1206->1209 1210 95555e-955568 GetLastError 1207->1210 1211 955599-95559f 1207->1211 1224 9557aa-9557b1 call 980237 1208->1224 1209->1208 1213 955657-955659 1210->1213 1214 95556e-955574 1210->1214 1211->1207 1215 9555a1 1211->1215 1218 9555a9-9555be SetNamedPipeHandleState 1213->1218 1219 955641-955643 1214->1219 1220 95557a-955582 1214->1220 1216 9555a3 1215->1216 1216->1218 1221 955663-955678 call 943821 1216->1221 1222 9555c4-9555d9 WriteFile 1218->1222 1223 95574a-955750 GetLastError 1218->1223 1219->1216 1225 955649-955652 1219->1225 1226 95565e 1220->1226 1227 955588-955593 Sleep 1220->1227 1221->1224 1228 9555df-9555f4 WriteFile 1222->1228 1229 955719-95571f GetLastError 1222->1229 1231 955752-95575b 1223->1231 1232 95575d 1223->1232 1224->1201 1225->1215 1226->1221 1227->1211 1234 9556e5-9556eb GetLastError 1228->1234 1235 9555fa-95560f WriteFile 1228->1235 1236 955721-95572a 1229->1236 1237 95572c 1229->1237 1231->1232 1239 955764-955779 call 943821 1232->1239 1240 95575f 1232->1240 1247 9556ed-9556f6 1234->1247 1248 9556f8 1234->1248 1243 955615-95562a ReadFile 1235->1243 1244 9556b1-9556b7 GetLastError 1235->1244 1236->1237 1245 955733-955748 call 943821 1237->1245 1246 95572e 1237->1246 1239->1224 1240->1239 1252 95567d-955683 GetLastError 1243->1252 1253 95562c-955636 1243->1253 1254 9556c4 1244->1254 1255 9556b9-9556c2 1244->1255 1245->1224 1246->1245 1247->1248 1249 9556ff-955714 call 943821 1248->1249 1250 9556fa 1248->1250 1249->1224 1250->1249 1257 955685-95568e 1252->1257 1258 955690 1252->1258 1253->1200 1260 95563c 1253->1260 1261 9556c6 1254->1261 1262 9556cb-9556e0 call 943821 1254->1262 1255->1254 1257->1258 1264 955697-9556ac call 943821 1258->1264 1265 955692 1258->1265 1260->1201 1261->1262 1262->1224 1264->1224 1265->1264
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(?,?,00000000,?,0098B500,?,00000000,?,0094452F,?,0098B500), ref: 009554FD
                                                                                                                          • GetCurrentProcessId.KERNEL32(?,0094452F,?,0098B500), ref: 00955508
                                                                                                                          • SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0094452F,?,0098B500), ref: 0095553F
                                                                                                                          • ConnectNamedPipe.KERNEL32(?,00000000,?,0094452F,?,0098B500), ref: 00955554
                                                                                                                          • GetLastError.KERNEL32(?,0094452F,?,0098B500), ref: 0095555E
                                                                                                                          • Sleep.KERNEL32(00000064,?,0094452F,?,0098B500), ref: 00955593
                                                                                                                          • SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0094452F,?,0098B500), ref: 009555B6
                                                                                                                          • WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0094452F,?,0098B500), ref: 009555D1
                                                                                                                          • WriteFile.KERNEL32(?,0094452F,0098B500,00000000,00000000,?,0094452F,?,0098B500), ref: 009555EC
                                                                                                                          • WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,0094452F,?,0098B500), ref: 00955607
                                                                                                                          • ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,0094452F,?,0098B500), ref: 00955622
                                                                                                                          • GetLastError.KERNEL32(?,0094452F,?,0098B500), ref: 0095567D
                                                                                                                          • GetLastError.KERNEL32(?,0094452F,?,0098B500), ref: 009556B1
                                                                                                                          • GetLastError.KERNEL32(?,0094452F,?,0098B500), ref: 009556E5
                                                                                                                          • GetLastError.KERNEL32(?,0094452F,?,0098B500), ref: 00955719
                                                                                                                          • GetLastError.KERNEL32(?,0094452F,?,0098B500), ref: 0095574A
                                                                                                                          • GetLastError.KERNEL32(?,0094452F,?,0098B500), ref: 0095577B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
                                                                                                                          • String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$crypt32.dll$pipe.cpp
                                                                                                                          • API String ID: 2944378912-2047837012
                                                                                                                          • Opcode ID: 75dac315be33c2bef57ad933c4ff8bd82b4722040a43f1c0a1fc842c88edb306
                                                                                                                          • Instruction ID: e25ccbd4b838bfaa790da0155c1a7b16b7d380d1325bd5862c61def846ce4465
                                                                                                                          • Opcode Fuzzy Hash: 75dac315be33c2bef57ad933c4ff8bd82b4722040a43f1c0a1fc842c88edb306
                                                                                                                          • Instruction Fuzzy Hash: 5C711B73D41635ABDB20D6EA8C55FAEA6ACAF08B12F134525BD10FB281E774CD0487E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0094A416 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1271 94a416-94a463 call 9472f8 1274 94a465-94a46a 1271->1274 1275 94a46f-94a472 1271->1275 1276 94a730-94a73a call 980237 1274->1276 1277 94a474-94a480 call 9472f8 1275->1277 1278 94a495-94a4af call 980f6c 1275->1278 1285 94a73c-94a74c call 980726 1276->1285 1286 94a74f-94a763 call 942782 * 2 1276->1286 1282 94a485-94a489 1277->1282 1288 94a4b1-94a4bb call 980726 1278->1288 1289 94a4e9-94a4eb 1278->1289 1282->1278 1287 94a48b-94a490 1282->1287 1285->1286 1312 94a765-94a76e RegCloseKey 1286->1312 1313 94a772-94a774 1286->1313 1287->1276 1299 94a4c0 1288->1299 1291 94a4f7-94a514 RegQueryValueExW 1289->1291 1292 94a4ed-94a4f2 1289->1292 1296 94a516-94a52a call 980726 1291->1296 1297 94a52c-94a52e 1291->1297 1292->1276 1304 94a4c3-94a4d6 call 948260 1296->1304 1302 94a530 1297->1302 1303 94a55e-94a570 call 94394f 1297->1303 1299->1304 1308 94a532-94a53b 1302->1308 1309 94a53d 1302->1309 1319 94a572-94a594 call 943821 call 980237 1303->1319 1320 94a599-94a5b4 RegQueryValueExW 1303->1320 1317 94a4e2-94a4e4 1304->1317 1318 94a4d8-94a4dd 1304->1318 1308->1309 1314 94a544-94a559 call 943821 1309->1314 1315 94a53f 1309->1315 1312->1313 1321 94a776-94a777 call 943a16 1313->1321 1322 94a77c-94a78d call 960734 1313->1322 1314->1276 1315->1314 1317->1286 1318->1276 1319->1285 1325 94a5e4-94a5ea 1320->1325 1326 94a5b6 1320->1326 1321->1322 1330 94a6e4-94a6eb call 96058e 1325->1330 1331 94a5f0-94a5f3 1325->1331 1333 94a5c3 1326->1333 1334 94a5b8-94a5c1 1326->1334 1343 94a6f0 1330->1343 1337 94a5f5-94a5f9 1331->1337 1338 94a64b-94a64f 1331->1338 1340 94a5c5 1333->1340 1341 94a5ca-94a5df call 943821 1333->1341 1334->1333 1344 94a63e-94a642 1337->1344 1345 94a5fb-94a5fe 1337->1345 1338->1330 1342 94a655-94a665 call 941ed1 1338->1342 1340->1341 1341->1276 1361 94a667-94a66c 1342->1361 1362 94a671-94a68b ExpandEnvironmentStringsW 1342->1362 1349 94a6f2-94a6f4 1343->1349 1352 94a644-94a649 1344->1352 1353 94a621-94a626 1344->1353 1350 94a600-94a616 call 980237 1345->1350 1351 94a61b-94a61f 1345->1351 1356 94a6f6-94a6fb 1349->1356 1357 94a6fd-94a70d call 960152 1349->1357 1350->1285 1351->1353 1359 94a62b-94a62e 1351->1359 1360 94a630-94a639 call 96054a 1352->1360 1353->1285 1356->1276 1370 94a716-94a720 call 948260 1357->1370 1371 94a70f-94a714 1357->1371 1359->1360 1360->1343 1361->1276 1362->1349 1366 94a68d-94a69b call 941ed1 1362->1366 1366->1361 1374 94a69d-94a6ad ExpandEnvironmentStringsW 1366->1374 1375 94a725-94a729 1370->1375 1371->1276 1374->1349 1376 94a6af-94a6b9 GetLastError 1374->1376 1375->1286 1377 94a72b 1375->1377 1378 94a6c6 1376->1378 1379 94a6bb-94a6c4 1376->1379 1377->1276 1380 94a6cd-94a6e2 call 943821 1378->1380 1381 94a6c8 1378->1381 1379->1378 1380->1276 1381->1380
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 0094A45A
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 0094A480
                                                                                                                          • RegCloseKey.KERNEL32(00000000,?,00000000,?,?,?,?,?), ref: 0094A768
                                                                                                                          Strings
                                                                                                                          • Failed to get expand environment string., xrefs: 0094A6DD
                                                                                                                          • Failed to allocate string buffer., xrefs: 0094A667
                                                                                                                          • Failed to change value type., xrefs: 0094A70F
                                                                                                                          • Failed to allocate memory registry value., xrefs: 0094A587
                                                                                                                          • Failed to format value string., xrefs: 0094A48B
                                                                                                                          • Failed to open registry key., xrefs: 0094A4ED
                                                                                                                          • Failed to query registry key value size., xrefs: 0094A554
                                                                                                                          • search.cpp, xrefs: 0094A54A, 0094A57D, 0094A5D0, 0094A6D3
                                                                                                                          • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0094A51C
                                                                                                                          • Failed to set variable., xrefs: 0094A72B
                                                                                                                          • Registry key not found. Key = '%ls', xrefs: 0094A4B4
                                                                                                                          • Failed to query registry key value., xrefs: 0094A5DA
                                                                                                                          • Failed to format key string., xrefs: 0094A465
                                                                                                                          • Unsupported registry key value type. Type = '%u', xrefs: 0094A608
                                                                                                                          • Failed to clear variable., xrefs: 0094A4D8
                                                                                                                          • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 0094A740
                                                                                                                          • Failed to read registry value., xrefs: 0094A6F6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Open@16$Close
                                                                                                                          • String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
                                                                                                                          • API String ID: 2348241696-3124384294
                                                                                                                          • Opcode ID: 57e3dda574e6d0cdc3933b9999c54e6ba8ac961963c9c3dbda2706e8f1b1fff1
                                                                                                                          • Instruction ID: e1d941611eac9198ec59b1da404d65378fd0152eed00aa0fc4eaca305d13979e
                                                                                                                          • Opcode Fuzzy Hash: 57e3dda574e6d0cdc3933b9999c54e6ba8ac961963c9c3dbda2706e8f1b1fff1
                                                                                                                          • Instruction Fuzzy Hash: 97A1D573D80229BBDF22AAE4CC45FAEBA78AF44710F158521F910BA250D775DE00DBD2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00945770 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 479stringCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1384 945770-9457b7 EnterCriticalSection lstrlenW call 941ed1 1387 9459a4-9459b2 call 96fa3a 1384->1387 1388 9457bd-9457ca call 980237 1384->1388 1393 9457cf-9457e1 call 96fa3a 1387->1393 1394 9459b8-9459d5 call 948367 1387->1394 1395 945c47-945c55 LeaveCriticalSection 1388->1395 1393->1394 1408 9457e7-9457f3 1393->1408 1411 94581b 1394->1411 1412 9459db-9459df call 97f500 1394->1412 1398 945c57-945c5b 1395->1398 1399 945c8e-945c93 1395->1399 1400 945c5d 1398->1400 1401 945c88-945c89 call 943a16 1398->1401 1403 945c95-945c96 call 97f4df 1399->1403 1404 945c9b-945c9f 1399->1404 1409 945c5f-945c63 1400->1409 1401->1399 1403->1404 1406 945ca1-945ca5 1404->1406 1407 945cbf-945cd2 call 942782 * 3 1404->1407 1414 945ca7-945caa call 985636 1406->1414 1415 945caf-945cb3 1406->1415 1428 945cd7-945cdf 1407->1428 1416 9457f5-945815 call 948367 1408->1416 1417 94582d-94582f 1408->1417 1418 945c75-945c78 call 942782 1409->1418 1419 945c65-945c69 1409->1419 1420 945820 1411->1420 1434 9459e4-9459eb 1412->1434 1414->1415 1427 945cb5-945cbd call 985636 1415->1427 1415->1428 1416->1411 1447 94599e-9459a1 1416->1447 1432 945857-945878 call 9483aa 1417->1432 1433 945831-945852 call 948367 1417->1433 1425 945c7d-945c80 1418->1425 1419->1425 1426 945c6b-945c73 call 985636 1419->1426 1429 945821-945828 call 980237 1420->1429 1425->1409 1439 945c82-945c85 1425->1439 1426->1425 1427->1428 1458 945c44 1429->1458 1455 945a8c-945a91 1432->1455 1456 94587e-945890 1432->1456 1433->1411 1460 945854 1433->1460 1442 945a96-945aa4 call 97f510 1434->1442 1443 9459f1-945a10 call 943821 1434->1443 1439->1401 1464 945aa6 1442->1464 1465 945ade-945ae5 1442->1465 1461 945a31-945a32 1443->1461 1447->1387 1455->1420 1462 9458a7-9458b3 call 94394f 1456->1462 1463 945892-94589a call 943af0 1456->1463 1458->1395 1460->1432 1461->1429 1484 9458b9-9458bd 1462->1484 1485 945a6b-945a8a call 943821 1462->1485 1479 9458a0-9458a5 1463->1479 1480 945a12-945a2c call 943821 1463->1480 1467 945aac-945aaf 1464->1467 1468 945aa8-945aaa 1464->1468 1470 945ae7-945af0 1465->1470 1471 945b0b-945b26 call 97f520 1465->1471 1474 945ab5-945aba 1467->1474 1468->1474 1476 945b05-945b09 1470->1476 1477 945af2-945b01 call 97f510 1470->1477 1488 945b9c-945ba0 1471->1488 1489 945b28-945b2a 1471->1489 1482 945ac4-945ad9 call 943821 1474->1482 1483 945abc-945ac1 1474->1483 1476->1470 1476->1471 1495 945b32 1477->1495 1496 945b03 1477->1496 1479->1484 1480->1461 1482->1420 1483->1482 1490 9458e5-9458e9 1484->1490 1491 9458bf-9458c6 1484->1491 1485->1461 1499 945ba6-945bbf call 948348 1488->1499 1500 945c38-945c3d 1488->1500 1489->1488 1498 945b2c 1489->1498 1503 945907-94590e 1490->1503 1504 9458eb-945901 call 947f3c 1490->1504 1491->1490 1501 9458c8-9458e3 call 9483aa 1491->1501 1511 945b34-945b36 1495->1511 1512 945b38-945b3b 1495->1512 1496->1476 1508 945b2e-945b30 1498->1508 1509 945b6a-945b6d 1498->1509 1527 945bc1-945bc6 1499->1527 1528 945bcb-945be2 call 97f520 1499->1528 1500->1458 1513 945c3f-945c42 1500->1513 1531 945955-945957 1501->1531 1506 945910-945921 call 942195 1503->1506 1507 945923-94593d call 94732c 1503->1507 1504->1503 1522 945a37-945a48 call 980237 1504->1522 1535 94594d-94594f 1506->1535 1536 945952 1507->1536 1537 94593f-945948 call 9422eb 1507->1537 1516 945b73-945b78 1508->1516 1509->1516 1520 945b41-945b46 1511->1520 1512->1520 1513->1458 1523 945b82-945b97 call 943821 1516->1523 1524 945b7a-945b7f 1516->1524 1529 945b50-945b65 call 943821 1520->1529 1530 945b48-945b4d 1520->1530 1522->1458 1523->1420 1524->1523 1527->1420 1547 945be4 1528->1547 1548 945c18-945c2c call 9483aa 1528->1548 1529->1420 1530->1529 1539 945a61 1531->1539 1540 94595d-94597b call 948389 1531->1540 1535->1536 1536->1531 1537->1535 1539->1485 1552 945a57 1540->1552 1553 945981-945998 call 948367 1540->1553 1550 945bf4 1547->1550 1551 945be6-945bf2 1547->1551 1548->1500 1561 945c2e-945c33 1548->1561 1556 945bf6-945bfb 1550->1556 1557 945bfe-945c13 call 943821 1550->1557 1551->1550 1552->1539 1553->1447 1562 945a4d 1553->1562 1556->1557 1557->1420 1561->1420 1562->1552
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000000,00000000,?,0094A8B4,00000100,000002C0,000002C0,00000100), ref: 00945795
                                                                                                                          • lstrlenW.KERNEL32(000002C0,?,0094A8B4,00000100,000002C0,000002C0,00000100), ref: 0094579F
                                                                                                                          • _wcschr.LIBVCRUNTIME ref: 009459A7
                                                                                                                          • LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,0094A8B4,00000100,000002C0,000002C0,00000100), ref: 00945C4A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterLeave_wcschrlstrlen
                                                                                                                          • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
                                                                                                                          • API String ID: 1026845265-2050445661
                                                                                                                          • Opcode ID: f1dd8d15bc454b9db02c716f29ab43bfed5ea23fc511ae60b4fc4a20d1654310
                                                                                                                          • Instruction ID: ef8407775aaa71921529ed8f96e8007e413cddb0c5188a41b65909552da41ef6
                                                                                                                          • Opcode Fuzzy Hash: f1dd8d15bc454b9db02c716f29ab43bfed5ea23fc511ae60b4fc4a20d1654310
                                                                                                                          • Instruction Fuzzy Hash: 35F19672901619EFCB11DFE48841EAF7BA8EB84B24F168529FD14BB341D7749E01CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00945195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1564 945195-945243 call 96f8e0 * 2 GetModuleHandleW call 9804f8 call 9806ae call 94120a 1575 945245 1564->1575 1576 945259-94526a call 9442d7 1564->1576 1578 94524a-945254 call 980237 1575->1578 1581 945273-94528f call 945618 CoInitializeEx 1576->1581 1582 94526c-945271 1576->1582 1585 9454d4-9454db 1578->1585 1592 945291-945296 1581->1592 1593 945298-9452a4 call 97fcae 1581->1593 1582->1578 1586 9454dd-9454e3 call 985636 1585->1586 1587 9454e8-9454ea 1585->1587 1586->1587 1590 9454ec-9454f3 1587->1590 1591 9454fa-945518 call 94d82f call 95a8d6 call 95ab24 1587->1591 1590->1591 1594 9454f5 call 9541ec 1590->1594 1614 945546-945559 call 944fa4 1591->1614 1615 94551a-945522 1591->1615 1592->1578 1601 9452a6 1593->1601 1602 9452b8-9452c7 call 980e07 1593->1602 1594->1591 1604 9452ab-9452b3 call 980237 1601->1604 1609 9452d0-9452df call 982af7 1602->1609 1610 9452c9-9452ce 1602->1610 1604->1585 1620 9452e1-9452e6 1609->1620 1621 9452e8-9452f7 call 983565 1609->1621 1610->1604 1625 945560-945567 1614->1625 1626 94555b call 983a35 1614->1626 1615->1614 1618 945524-945527 1615->1618 1618->1614 1619 945529-945544 call 95434c call 945602 1618->1619 1619->1614 1620->1604 1633 945300-94531f GetVersionExW 1621->1633 1634 9452f9-9452fe 1621->1634 1630 94556e-945575 1625->1630 1631 945569 call 982efe 1625->1631 1626->1625 1636 945577 call 981479 1630->1636 1637 94557c-945583 1630->1637 1631->1630 1641 945321-94532b GetLastError 1633->1641 1642 945359-94539e call 9433c7 call 945602 1633->1642 1634->1604 1636->1637 1638 945585 call 97fdbd 1637->1638 1639 94558a-94558c 1637->1639 1638->1639 1646 945594-94559b 1639->1646 1647 94558e CoUninitialize 1639->1647 1648 94532d-945336 1641->1648 1649 945338 1641->1649 1666 9453a0-9453ab call 985636 1642->1666 1667 9453b1-9453c1 call 95752a 1642->1667 1651 9455d6-9455df call 980113 1646->1651 1652 94559d-94559f 1646->1652 1647->1646 1648->1649 1653 94533f-945354 call 943821 1649->1653 1654 94533a 1649->1654 1664 9455e6-9455ff call 980802 call 96e06f 1651->1664 1665 9455e1 call 9445ee 1651->1665 1658 9455a5-9455ab 1652->1658 1659 9455a1-9455a3 1652->1659 1653->1604 1654->1653 1663 9455ad-9455c6 call 953d85 call 945602 1658->1663 1659->1663 1663->1651 1685 9455c8-9455d5 call 945602 1663->1685 1665->1664 1666->1667 1679 9453c3 1667->1679 1680 9453cd-9453d6 1667->1680 1679->1680 1682 9453dc-9453df 1680->1682 1683 94549e-9454b4 call 944d39 1680->1683 1686 9453e5-9453e8 1682->1686 1687 945476-945489 call 944ae5 1682->1687 1699 9454b6 1683->1699 1700 9454c0-9454d2 1683->1700 1685->1651 1691 94544e-94546a call 9448ef 1686->1691 1692 9453ea-9453ed 1686->1692 1698 94548e-945492 1687->1698 1691->1700 1706 94546c 1691->1706 1696 945426-945442 call 944a88 1692->1696 1697 9453ef-9453f2 1692->1697 1696->1700 1710 945444 1696->1710 1702 9453f4-9453f9 1697->1702 1703 945403-945416 call 944c86 1697->1703 1698->1700 1704 945494 1698->1704 1699->1700 1700->1585 1702->1703 1703->1700 1711 94541c 1703->1711 1704->1683 1706->1687 1710->1691 1711->1696
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00945217
                                                                                                                            • Part of subcall function 009804F8: InitializeCriticalSection.KERNEL32(009AB5FC,?,00945223,00000000,?,?,?,?,?,?), ref: 0098050F
                                                                                                                            • Part of subcall function 0094120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0094523F,00000000,?), ref: 00941248
                                                                                                                            • Part of subcall function 0094120A: GetLastError.KERNEL32(?,?,?,0094523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00941252
                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00945285
                                                                                                                            • Part of subcall function 00980E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00980E28
                                                                                                                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00945317
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00945321
                                                                                                                          • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0094558E
                                                                                                                          Strings
                                                                                                                          • Failed to run untrusted mode., xrefs: 009454B6
                                                                                                                          • Invalid run mode., xrefs: 009453F9
                                                                                                                          • Failed to initialize XML util., xrefs: 009452F9
                                                                                                                          • Failed to initialize engine state., xrefs: 0094526C
                                                                                                                          • Failed to initialize Wiutil., xrefs: 009452E1
                                                                                                                          • Failed to initialize core., xrefs: 009453C3
                                                                                                                          • Failed to initialize Cryputil., xrefs: 009452A6
                                                                                                                          • engine.cpp, xrefs: 00945345
                                                                                                                          • Failed to run RunOnce mode., xrefs: 0094541C
                                                                                                                          • Failed to run per-user mode., xrefs: 00945494
                                                                                                                          • Failed to parse command line., xrefs: 00945245
                                                                                                                          • Failed to initialize COM., xrefs: 00945291
                                                                                                                          • Failed to run embedded mode., xrefs: 00945444
                                                                                                                          • 3.11.1.2318, xrefs: 00945384
                                                                                                                          • Failed to initialize Regutil., xrefs: 009452C9
                                                                                                                          • Failed to get OS info., xrefs: 0094534F
                                                                                                                          • Failed to run per-machine mode., xrefs: 0094546C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
                                                                                                                          • String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
                                                                                                                          • API String ID: 3262001429-510904028
                                                                                                                          • Opcode ID: 03f1a06cfea8bcdf32ec58c35a735900f839f45de8cae2fd2f41f29433a14e96
                                                                                                                          • Instruction ID: edc3893bedcfc508e78546928d141f7229d236e71f5b1ca7d20daf8a74faccae
                                                                                                                          • Opcode Fuzzy Hash: 03f1a06cfea8bcdf32ec58c35a735900f839f45de8cae2fd2f41f29433a14e96
                                                                                                                          • Instruction Fuzzy Hash: 71B1D572D40A299BDB31AFA4CC46FED76B8AF84714F060195F908B6352DB749E84CF90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0095752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1712 95752a-95756f call 96f8e0 call 94762c 1717 957571-957576 1712->1717 1718 95757b-95758c call 94c407 1712->1718 1719 957814-95781b call 980237 1717->1719 1724 95758e-957593 1718->1724 1725 957598-9575a9 call 94c26e 1718->1725 1726 95781c-957821 1719->1726 1724->1719 1734 9575b5-9575ca call 94c4c8 1725->1734 1735 9575ab-9575b0 1725->1735 1728 957823-957824 call 985636 1726->1728 1729 957829-95782d 1726->1729 1728->1729 1732 957837-95783c 1729->1732 1733 95782f-957832 call 985636 1729->1733 1737 957844-957851 call 94c1bb 1732->1737 1738 95783e-95783f call 985636 1732->1738 1733->1732 1744 9575d6-9575e6 call 96c001 1734->1744 1745 9575cc-9575d1 1734->1745 1735->1719 1746 957853-957856 call 985636 1737->1746 1747 95785b-95785f 1737->1747 1738->1737 1753 9575f2-957665 call 955c33 1744->1753 1754 9575e8-9575ed 1744->1754 1745->1719 1746->1747 1751 957861-957864 call 985636 1747->1751 1752 957869-95786d 1747->1752 1751->1752 1756 957877-95787f 1752->1756 1757 95786f-957872 call 943a16 1752->1757 1761 957667-95766c 1753->1761 1762 957671-957676 1753->1762 1754->1719 1757->1756 1761->1719 1763 95767d-9576b4 call 945602 GetCurrentProcess call 980879 call 94827b 1762->1763 1764 957678 1762->1764 1771 9576b6 1763->1771 1772 9576ce-9576e5 call 94827b 1763->1772 1764->1763 1773 9576bb-9576c9 call 980237 1771->1773 1778 9576e7-9576ec 1772->1778 1779 9576ee-9576f3 1772->1779 1773->1726 1778->1773 1780 9576f5-957707 call 94821f 1779->1780 1781 95774f-957754 1779->1781 1792 957713-957723 call 943436 1780->1792 1793 957709-95770e 1780->1793 1782 957774-95777d 1781->1782 1783 957756-957768 call 94821f 1781->1783 1786 95777f-957782 1782->1786 1787 957789-95779d call 95a50c 1782->1787 1783->1782 1796 95776a-95776f 1783->1796 1786->1787 1791 957784-957787 1786->1791 1799 9577a6 1787->1799 1800 95779f-9577a4 1787->1800 1791->1787 1797 9577ac-9577af 1791->1797 1803 957725-95772a 1792->1803 1804 95772f-957743 call 94821f 1792->1804 1793->1719 1796->1719 1801 9577b6-9577cc call 94d5a0 1797->1801 1802 9577b1-9577b4 1797->1802 1799->1797 1800->1719 1809 9577d5-9577e4 call 94cbc5 1801->1809 1810 9577ce-9577d3 1801->1810 1802->1726 1802->1801 1803->1719 1804->1781 1811 957745-95774a 1804->1811 1813 9577e9-9577ed 1809->1813 1810->1719 1811->1719 1814 9577f6-95780d call 94c8e6 1813->1814 1815 9577ef-9577f4 1813->1815 1814->1726 1818 95780f 1814->1818 1815->1719 1818->1719
                                                                                                                          Strings
                                                                                                                          • Failed to get manifest stream from container., xrefs: 009575CC
                                                                                                                          • Failed to get unique temporary folder for bootstrapper application., xrefs: 009577CE
                                                                                                                          • WixBundleOriginalSource, xrefs: 00957759
                                                                                                                          • Failed to extract bootstrapper application payloads., xrefs: 009577EF
                                                                                                                          • Failed to set original source variable., xrefs: 0095776A
                                                                                                                          • WixBundleElevated, xrefs: 009576A5, 009576B6
                                                                                                                          • WixBundleSourceProcessFolder, xrefs: 00957734
                                                                                                                          • Failed to open manifest stream., xrefs: 009575AB
                                                                                                                          • Failed to get source process folder from path., xrefs: 00957725
                                                                                                                          • Failed to load manifest., xrefs: 009575E8
                                                                                                                          • Failed to open attached UX container., xrefs: 0095758E
                                                                                                                          • Failed to set source process path variable., xrefs: 00957709
                                                                                                                          • Failed to overwrite the %ls built-in variable., xrefs: 009576BB
                                                                                                                          • Failed to load catalog files., xrefs: 0095780F
                                                                                                                          • Failed to parse command line., xrefs: 00957667
                                                                                                                          • Failed to initialize variables., xrefs: 00957571
                                                                                                                          • Failed to initialize internal cache functionality., xrefs: 0095779F
                                                                                                                          • WixBundleSourceProcessPath, xrefs: 009576F8
                                                                                                                          • WixBundleUILevel, xrefs: 009576D6, 009576E7
                                                                                                                          • Failed to set source process folder variable., xrefs: 00957745
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalInitializeSection
                                                                                                                          • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
                                                                                                                          • API String ID: 32694325-1564579409
                                                                                                                          • Opcode ID: 6a9b2aab2f565afcd3f23abde0a00a320089ab541da0cab4723e6ef197a2c9cd
                                                                                                                          • Instruction ID: c25fddb30478210e1999294e7ca10d6e2239e56dec32fe6217cb48a1ba5968b9
                                                                                                                          • Opcode Fuzzy Hash: 6a9b2aab2f565afcd3f23abde0a00a320089ab541da0cab4723e6ef197a2c9cd
                                                                                                                          • Instruction Fuzzy Hash: 3DA1B672A44619BBDB12DAE5DC85FEEF76CBB44705F000626FA15E7241E770EA08C7A0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009586D0 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 209fileCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1924 9586d0-95871e CreateFileW 1925 958764-958774 call 98490d 1924->1925 1926 958720-95872a GetLastError 1924->1926 1934 958776-958787 call 980237 1925->1934 1935 95878c-958797 call 983edd 1925->1935 1927 958737 1926->1927 1928 95872c-958735 1926->1928 1930 95873e-95875f call 943821 call 980237 1927->1930 1931 958739 1927->1931 1928->1927 1946 958908-95891a call 96e06f 1930->1946 1931->1930 1942 958901-958902 FindCloseChangeNotification 1934->1942 1940 95879c-9587a0 1935->1940 1943 9587a2-9587b6 call 980237 1940->1943 1944 9587bb-9587c0 1940->1944 1942->1946 1943->1942 1944->1942 1948 9587c6-9587d5 SetFilePointerEx 1944->1948 1951 9587d7-9587e1 GetLastError 1948->1951 1952 95880f-95881f call 984e3a 1948->1952 1955 9587e3-9587ec 1951->1955 1956 9587ee 1951->1956 1960 958821-958826 1952->1960 1961 95882b-95883c SetFilePointerEx 1952->1961 1955->1956 1958 9587f5-95880a call 943821 1956->1958 1959 9587f0 1956->1959 1964 9588f9-958900 call 980237 1958->1964 1959->1958 1960->1964 1965 958876-958886 call 984e3a 1961->1965 1966 95883e-958848 GetLastError 1961->1966 1964->1942 1965->1960 1975 958888-958898 call 984e3a 1965->1975 1968 958855 1966->1968 1969 95884a-958853 1966->1969 1972 958857 1968->1972 1973 95885c-958871 call 943821 1968->1973 1969->1968 1972->1973 1973->1964 1975->1960 1980 95889a-9588ab SetFilePointerEx 1975->1980 1981 9588e2-9588f2 call 984e3a 1980->1981 1982 9588ad-9588b7 GetLastError 1980->1982 1981->1942 1990 9588f4 1981->1990 1983 9588c4 1982->1983 1984 9588b9-9588c2 1982->1984 1986 9588c6 1983->1986 1987 9588cb-9588e0 call 943821 1983->1987 1984->1983 1986->1987 1987->1964 1990->1964
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00944DBC,?,?,00000000,00944DBC,00000000), ref: 00958713
                                                                                                                          • GetLastError.KERNEL32 ref: 00958720
                                                                                                                            • Part of subcall function 00983EDD: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00983F73
                                                                                                                          • SetFilePointerEx.KERNEL32(00000000,0098B4B8,00000000,00000000,00000000,?,00000000,0098B500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009587CD
                                                                                                                          • GetLastError.KERNEL32 ref: 009587D7
                                                                                                                          • FindCloseChangeNotification.KERNEL32(00000000,?,00000000,0098B500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00958902
                                                                                                                          Strings
                                                                                                                          • Failed to create engine file at path: %ls, xrefs: 00958751
                                                                                                                          • Failed to seek to signature table in exe header., xrefs: 0095886C
                                                                                                                          • Failed to seek to beginning of engine file: %ls, xrefs: 00958779
                                                                                                                          • Failed to zero out original data offset., xrefs: 009588F4
                                                                                                                          • msi.dll, xrefs: 00958814
                                                                                                                          • Failed to copy engine from: %ls to: %ls, xrefs: 009587A8
                                                                                                                          • cabinet.dll, xrefs: 0095887B
                                                                                                                          • Failed to seek to original data in exe burn section header., xrefs: 009588DB
                                                                                                                          • Failed to seek to checksum in exe header., xrefs: 00958805
                                                                                                                          • Failed to update signature offset., xrefs: 00958821
                                                                                                                          • cache.cpp, xrefs: 00958744, 009587FB, 00958862, 009588D1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$ErrorLast$ChangeCloseCreateFindNotificationPointerRead
                                                                                                                          • String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
                                                                                                                          • API String ID: 3608016165-1976062716
                                                                                                                          • Opcode ID: c31ff7ea1d72b9b535419682bba6c28bb3542e9f8ac8890f09586bcd6a99b3fa
                                                                                                                          • Instruction ID: 3ded90293e53a9995e132473aaf2b0565e2efc71888fed9a1f6002f2be0d97da
                                                                                                                          • Opcode Fuzzy Hash: c31ff7ea1d72b9b535419682bba6c28bb3542e9f8ac8890f09586bcd6a99b3fa
                                                                                                                          • Instruction Fuzzy Hash: 9551D973A51636BBEB11AAA54C46F7F7568EF84B11F150124FE10FB281EF109C0497E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0094762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1992 94762c-947edf InitializeCriticalSection 1993 947ee2-947f06 call 945623 1992->1993 1996 947f13-947f24 call 980237 1993->1996 1997 947f08-947f0f 1993->1997 2000 947f27-947f39 call 96e06f 1996->2000 1997->1993 1998 947f11 1997->1998 1998->2000
                                                                                                                          APIs
                                                                                                                          • InitializeCriticalSection.KERNEL32(0095756B,009453BD,00000000,00945445), ref: 0094764C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalInitializeSection
                                                                                                                          • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
                                                                                                                          • API String ID: 32694325-3635313340
                                                                                                                          • Opcode ID: 2da596762e4cb58f90a5068a61c81930b3a574e972435882944203a6b9dc7c96
                                                                                                                          • Instruction ID: 6c602a0487959fea0106267a140cee4f3a2f6d2c7e131f1f880ff0f259dd40c7
                                                                                                                          • Opcode Fuzzy Hash: 2da596762e4cb58f90a5068a61c81930b3a574e972435882944203a6b9dc7c96
                                                                                                                          • Instruction Fuzzy Hash: A63245F0C157299BDBB59F5AD98878DFAF4BB49304F9085EED20CA6311C7B00A888F55
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009582BA Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 153COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,00000000,?), ref: 00958310
                                                                                                                            • Part of subcall function 00980879: OpenProcessToken.ADVAPI32(?,00000008,?,?,00000000,?,?,?,?,0095831C,00000000), ref: 00980897
                                                                                                                            • Part of subcall function 00980879: GetLastError.KERNEL32(?,?,?,?,0095831C,00000000), ref: 009808A1
                                                                                                                            • Part of subcall function 00980879: FindCloseChangeNotification.KERNEL32(?,?,?,?,?,0095831C,00000000), ref: 0098092B
                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00958336
                                                                                                                          • GetLastError.KERNEL32 ref: 00958340
                                                                                                                          • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 009583BD
                                                                                                                          • GetLastError.KERNEL32 ref: 009583C7
                                                                                                                          • UuidCreate.RPCRT4(?), ref: 00958406
                                                                                                                          Strings
                                                                                                                          • Failed to create working folder guid., xrefs: 00958413
                                                                                                                          • Failed to convert working folder guid into string., xrefs: 00958446
                                                                                                                          • Temp\, xrefs: 00958395
                                                                                                                          • Failed to ensure windows path for working folder ended in backslash., xrefs: 0095838B
                                                                                                                          • Failed to get temp path for working folder., xrefs: 009583F5
                                                                                                                          • Failed to concat Temp directory on windows path for working folder., xrefs: 009583AD
                                                                                                                          • Failed to get windows path for working folder., xrefs: 0095836E
                                                                                                                          • Failed to copy working folder path., xrefs: 0095848B
                                                                                                                          • Failed to append bundle id on to temp path for working folder., xrefs: 00958470
                                                                                                                          • %ls%ls\, xrefs: 00958458
                                                                                                                          • cache.cpp, xrefs: 00958364, 009583EB, 0095843C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$Process$ChangeCloseCreateCurrentDirectoryFindNotificationOpenPathTempTokenUuidWindows
                                                                                                                          • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
                                                                                                                          • API String ID: 2898636500-819636856
                                                                                                                          • Opcode ID: d9f9c1142e161a09d7a174de5cbfc3aa6d9840adc88dbadcab5f835678841dd2
                                                                                                                          • Instruction ID: ec721bff5b4f4cef3729a8bc871893682273c3658217c51d8a1ca0747659fff7
                                                                                                                          • Opcode Fuzzy Hash: d9f9c1142e161a09d7a174de5cbfc3aa6d9840adc88dbadcab5f835678841dd2
                                                                                                                          • Instruction Fuzzy Hash: 12410932A45325B7DB30DAE6CC0AFAB736C9B80B15F004565BE04F7240EB749D0887E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009610FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000), ref: 0096111D
                                                                                                                          • CoUninitialize.OLE32 ref: 00961398
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InitializeUninitialize
                                                                                                                          • String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
                                                                                                                          • API String ID: 3442037557-1168358783
                                                                                                                          • Opcode ID: 4b784da781d2d40caee9c59cae7a59c8bb7edf1e57c171a4e4e4ebcf63bdbe9a
                                                                                                                          • Instruction ID: d7e80c1dd0bac60b9929585af3700c26d599d3121b65e9ca4c047e03ded7a960
                                                                                                                          • Opcode Fuzzy Hash: 4b784da781d2d40caee9c59cae7a59c8bb7edf1e57c171a4e4e4ebcf63bdbe9a
                                                                                                                          • Instruction Fuzzy Hash: DC515A37A44261E7CF2097A88C55E6B7668EBC1770B2E4725FD22FB390D6298C0092D5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00963AAD Relevance: 28.6, APIs: 1, Strings: 15, Instructions: 571COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen
                                                                                                                          • String ID: Failed to convert version: %ls to DWORD64 for ProductCode: %ls$Failed to copy the installed ProductCode to the package.$Failed to enum related products.$Failed to get product information for ProductCode: %ls$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$Failed to query feature state.$Invalid state value.$Language$UX aborted detect compatible MSI package.$UX aborted detect related MSI package.$UX aborted detect.$VersionString$msasn1.dll$msiengine.cpp
                                                                                                                          • API String ID: 1659193697-2574767977
                                                                                                                          • Opcode ID: 3bb409aa3164dbfd579f0e88233e618e794bc6a912eb71b568ab6296f8e66114
                                                                                                                          • Instruction ID: 927c128a7e3dd724251bb080181e6444a1295fa7439dbca0a6f6e608470b5b37
                                                                                                                          • Opcode Fuzzy Hash: 3bb409aa3164dbfd579f0e88233e618e794bc6a912eb71b568ab6296f8e66114
                                                                                                                          • Instruction Fuzzy Hash: 1B227B31900218EFDF21DFE4CC85FAEBBB9BF84704F148569E909AB256D7359984CB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009442D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00945266,?,?,00000000,?,?), ref: 00944303
                                                                                                                          • InitializeCriticalSection.KERNEL32(000000D0,?,?,00945266,?,?,00000000,?,?), ref: 0094430C
                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00945266,?,?,00000000,?,?), ref: 00944352
                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00945266,?,?,00000000,?,?), ref: 0094435C
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00945266,?,?,00000000,?,?), ref: 00944370
                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00945266,?,?,00000000,?,?), ref: 00944380
                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00945266,?,?,00000000,?,?), ref: 009443D0
                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00945266,?,?,00000000,?,?), ref: 009443DA
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00945266,?,?,00000000,?,?), ref: 009443EE
                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00945266,?,?,00000000,?,?), ref: 009443FE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen$CompareCriticalInitializeSectionString
                                                                                                                          • String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
                                                                                                                          • API String ID: 3039292287-3209860532
                                                                                                                          • Opcode ID: e2fb89c36ed0568d61b0f6274710adc3af158c6a22966d29aad8379db66d1fba
                                                                                                                          • Instruction ID: a8b77ae9158f357b1b60f28de33b3e6a4075f4cd310c4851cee5de5048a2d7da
                                                                                                                          • Opcode Fuzzy Hash: e2fb89c36ed0568d61b0f6274710adc3af158c6a22966d29aad8379db66d1fba
                                                                                                                          • Instruction Fuzzy Hash: 5251A371A44216BEC724EF68CC86F9A77ACFF44764F140116F615EB3A0D770A950CBA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0095E7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • TlsSetValue.KERNEL32(?,?), ref: 0095E7FF
                                                                                                                          • RegisterClassW.USER32(?), ref: 0095E82B
                                                                                                                          • GetLastError.KERNEL32 ref: 0095E836
                                                                                                                          • CreateWindowExW.USER32(00000080,00999E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 0095E89D
                                                                                                                          • GetLastError.KERNEL32 ref: 0095E8A7
                                                                                                                          • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 0095E945
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
                                                                                                                          • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
                                                                                                                          • API String ID: 213125376-288575659
                                                                                                                          • Opcode ID: 27976f49df5daa9112b8a6984e919edb146e9c170a1a93db450a04894616280e
                                                                                                                          • Instruction ID: 30cf436495fac47d5c9552b8942815e6cf4994796b2783cf674d0ce2212196f9
                                                                                                                          • Opcode Fuzzy Hash: 27976f49df5daa9112b8a6984e919edb146e9c170a1a93db450a04894616280e
                                                                                                                          • Instruction Fuzzy Hash: A541C572901215ABCB24CBA6DC44BDEBFB8EF08751F144126FE15AA290D7329A04DBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0098304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00983609,00000000,?,00000000), ref: 00983069
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0096C025,?,00945405,?,00000000,?), ref: 00983075
                                                                                                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 009830B5
                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009830C1
                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 009830CC
                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009830D6
                                                                                                                          • CoCreateInstance.OLE32(009AB6B8,00000000,00000001,0098B818,?,?,?,?,?,?,?,?,?,?,?,0096C025), ref: 00983111
                                                                                                                          • ExitProcess.KERNEL32 ref: 009831C0
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                                                                                                                          • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
                                                                                                                          • API String ID: 2124981135-499589564
                                                                                                                          • Opcode ID: a6bd7976f478a9c7f93fb09a8e41162a73aa11f05a73704f840c20371924eea7
                                                                                                                          • Instruction ID: 20762b524391f9aa30cb4c2d136fd62c873264687d956ea35d8cef0d570efcc4
                                                                                                                          • Opcode Fuzzy Hash: a6bd7976f478a9c7f93fb09a8e41162a73aa11f05a73704f840c20371924eea7
                                                                                                                          • Instruction Fuzzy Hash: 8341A332A05315ABDB24EFA8C859F6EB7A8EF45F10F158168E901EB381D775DE009B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0094A28B Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 0094A2B3
                                                                                                                          • _MREFOpen@16.MSPDB140-MSVCRT ref: 0094A30E
                                                                                                                          • RegQueryValueExW.KERNEL32(000002C0,00000100,00000000,000002C0,00000000,00000000,000002C0,?,00000100,00000000,?,00000000,?,000002C0,000002C0,?), ref: 0094A32F
                                                                                                                          • RegCloseKey.KERNEL32(00000000,00000100,00000000,000002C0,00000100,00000000,000002C0), ref: 0094A405
                                                                                                                          Strings
                                                                                                                          • Failed to set variable., xrefs: 0094A3BD
                                                                                                                          • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0094A37A
                                                                                                                          • Failed to open registry key. Key = '%ls', xrefs: 0094A3C7
                                                                                                                          • Registry key not found. Key = '%ls', xrefs: 0094A396
                                                                                                                          • Failed to query registry key value., xrefs: 0094A36A
                                                                                                                          • Failed to format value string., xrefs: 0094A319
                                                                                                                          • Failed to format key string., xrefs: 0094A2BE
                                                                                                                          • search.cpp, xrefs: 0094A360
                                                                                                                          • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 0094A3DD
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Open@16$CloseQueryValue
                                                                                                                          • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
                                                                                                                          • API String ID: 2702208347-46557908
                                                                                                                          • Opcode ID: 395fdd8be2769e5e169ce7da70a3c50c94a65a6ab00d90f6d2f06ed55b88d54b
                                                                                                                          • Instruction ID: 068d31f8a0b6c16dc82336d7a617bb7684cca8eecc17587494ce69454cd8ba6d
                                                                                                                          • Opcode Fuzzy Hash: 395fdd8be2769e5e169ce7da70a3c50c94a65a6ab00d90f6d2f06ed55b88d54b
                                                                                                                          • Instruction Fuzzy Hash: B341D872D80128BBDB226F94CC06FAFBB68EB84710F114255FD14B6251E7719E10A792
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0094C28F Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 131fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(0096AD7D,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,?,?,0096AD7D), ref: 0094C2D6
                                                                                                                          • GetLastError.KERNEL32(?,0096AD7D), ref: 0094C2E7
                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,?,?,0096AD7D), ref: 0094C336
                                                                                                                          • GetCurrentProcess.KERNEL32(000000FF,00000000,?,0096AD7D), ref: 0094C33C
                                                                                                                          • DuplicateHandle.KERNELBASE(00000000,?,0096AD7D), ref: 0094C33F
                                                                                                                          • GetLastError.KERNEL32(?,0096AD7D), ref: 0094C349
                                                                                                                          • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0096AD7D), ref: 0094C39B
                                                                                                                          • GetLastError.KERNEL32(?,0096AD7D), ref: 0094C3A5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                                                                                                                          • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp
                                                                                                                          • API String ID: 2619879409-2168299741
                                                                                                                          • Opcode ID: 3fba7bc64cbd14d65066a6a7bf0dd2f1d5cc4fa0df7d57f77277a9306bea516c
                                                                                                                          • Instruction ID: 5a53cd5c5b94afa62398651f03f0130a8f2b7b24130c493f5659edf92ffbea04
                                                                                                                          • Opcode Fuzzy Hash: 3fba7bc64cbd14d65066a6a7bf0dd2f1d5cc4fa0df7d57f77277a9306bea516c
                                                                                                                          • Instruction Fuzzy Hash: 2441DB76240201AFDB609F698C49F1B7BA9EFC4720F258429FD14EB391EB71D801DB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009864B7 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 154networkfileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InternetOpenW.WININET(Burn,00000000,00000000,00000000,00000000), ref: 00986507
                                                                                                                          • GetLastError.KERNEL32(?,0096A41C,?,?,?,?,00969B69), ref: 00986513
                                                                                                                          • InternetSetOptionW.WININET(00000000,00000002,00000000,00000004), ref: 0098657A
                                                                                                                          • InternetSetOptionW.WININET(00000000,00000006,00000000,00000004), ref: 00986585
                                                                                                                          • InternetSetOptionW.WININET(00000000,00000005,00000000,00000004), ref: 00986590
                                                                                                                          • DeleteFileW.KERNEL32(00969B69,00000000,?,?,?,?,000000FF,00969B69,?,?,?,?,000000FF,?,?,?), ref: 0098660A
                                                                                                                          • CloseHandle.KERNEL32(000000FF,00000000,?,?,?,?,000000FF,00969B69,?,?,?,?,000000FF,?,?,?), ref: 00986619
                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 00986631
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Internet$Option$CloseHandle$DeleteErrorFileLastOpen
                                                                                                                          • String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
                                                                                                                          • API String ID: 2553576872-1704223933
                                                                                                                          • Opcode ID: f40dd9d3690a9c71d14ccb46298894851a17b51b28456f64133afff2c39cdb23
                                                                                                                          • Instruction ID: 5090ba34cb7e4c27de7b4eceedb5fb06d3955f902cd8544bdeae838d2d13b63b
                                                                                                                          • Opcode Fuzzy Hash: f40dd9d3690a9c71d14ccb46298894851a17b51b28456f64133afff2c39cdb23
                                                                                                                          • Instruction Fuzzy Hash: 3D511772D00219BBDF12EFA4CC45EAEBBBDEB48710F054155FA14EA290E7318A11DBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00961741 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 106COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,0000001C,?,00000000,00000000,00000000,00000000,?,0094C3EB,00000000,0096AD7D,?,0096AD7D), ref: 00961778
                                                                                                                          • GetLastError.KERNEL32(?,0094C3EB,00000000,0096AD7D,?,0096AD7D), ref: 00961781
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateErrorEventLast
                                                                                                                          • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp
                                                                                                                          • API String ID: 545576003-1680384675
                                                                                                                          • Opcode ID: 9c54f846c2e2a82c758b6d8011c1e16719eac3b470be6ccd3fc7bdf534402c66
                                                                                                                          • Instruction ID: c97fe4b864573deebd2f0081ae81f12a2fe82ac081a3e92607f868b974fb520d
                                                                                                                          • Opcode Fuzzy Hash: 9c54f846c2e2a82c758b6d8011c1e16719eac3b470be6ccd3fc7bdf534402c66
                                                                                                                          • Instruction Fuzzy Hash: 8C212B77E4173B77D72116A94C46F2B6A9CFF40BB4B1A4625BE10BB380EB54DC0086E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009608C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CompareStringA.KERNEL32(00000000,00000000,<the>.cab,?,?), ref: 009608F2
                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0096090A
                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 0096090F
                                                                                                                          • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00960912
                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 0096091C
                                                                                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 0096098B
                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 00960998
                                                                                                                          Strings
                                                                                                                          • cabextract.cpp, xrefs: 00960940, 009609BC
                                                                                                                          • Failed to add virtual file pointer for cab container., xrefs: 00960971
                                                                                                                          • Failed to open cabinet file: %hs, xrefs: 009609C9
                                                                                                                          • Failed to duplicate handle to cab container., xrefs: 0096094A
                                                                                                                          • <the>.cab, xrefs: 009608EB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                                                                                                                          • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
                                                                                                                          • API String ID: 3030546534-3446344238
                                                                                                                          • Opcode ID: 3d05a60825702bd2dcbefa92b0592d06ce7b40c16c228e0af40c524de6ba91ad
                                                                                                                          • Instruction ID: 62ef5aad499bb26e7f1d05aeabcbd301ddad93e0f076329b53fb632d5c523820
                                                                                                                          • Opcode Fuzzy Hash: 3d05a60825702bd2dcbefa92b0592d06ce7b40c16c228e0af40c524de6ba91ad
                                                                                                                          • Instruction Fuzzy Hash: 3931013294163ABBEB215B998C89F9FBA6DFF84764F110111FE04BB290D7209D00DBE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009614E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,00000000,74DF2F60,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00961506
                                                                                                                          • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,E0000038,00000000), ref: 00961519
                                                                                                                          • GetExitCodeThread.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0096155B
                                                                                                                          • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,E0000038,00000000), ref: 00961569
                                                                                                                          • ResetEvent.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,E0000038), ref: 009615A4
                                                                                                                          • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,E0000038,00000000), ref: 009615AE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                                                                                                                          • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
                                                                                                                          • API String ID: 2979751695-3400260300
                                                                                                                          • Opcode ID: 633660a88d6dbd554ce8967686f97964ab861010b87610880b55569eecb5a46d
                                                                                                                          • Instruction ID: 0dd33f1d4f5c0140297bb7031a9c79ba9bec30af86128aac94257a73a9676c4e
                                                                                                                          • Opcode Fuzzy Hash: 633660a88d6dbd554ce8967686f97964ab861010b87610880b55569eecb5a46d
                                                                                                                          • Instruction Fuzzy Hash: 33317571B40305EBDB10DFAA8D05BAEB7FCFB84710B14855AF917DA2A0E774DA00AB51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0096B52C Relevance: 16.3, APIs: 2, Strings: 7, Instructions: 553COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: ($Failed to set syncpoint event.$UX aborted cache.$apply.cpp$begin cache package$end cache package$layout bundle
                                                                                                                          • API String ID: 0-826262529
                                                                                                                          • Opcode ID: 8d892da031a4f295866c270bbf0beb2cdb4f25a87551f75bb9e61f58d9d42f1d
                                                                                                                          • Instruction ID: baaa9b5238f073f2edfce96a72faed2dcefbbecb1c8d4ccafd99e9521df69227
                                                                                                                          • Opcode Fuzzy Hash: 8d892da031a4f295866c270bbf0beb2cdb4f25a87551f75bb9e61f58d9d42f1d
                                                                                                                          • Instruction Fuzzy Hash: D3222A7290161AFFCF11CF94C940EAEBBB6FF48710F214555FA14AB221E331A9A1DB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0095A13A Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 222COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          • WixBundleOriginalSource, xrefs: 0095A1B7
                                                                                                                          • Failed to copy source path., xrefs: 0095A31A
                                                                                                                          • Failed to combine last source with source., xrefs: 0095A210
                                                                                                                          • WixBundleLayoutDirectory, xrefs: 0095A26C
                                                                                                                          • WixBundleLastUsedSource, xrefs: 0095A1A1
                                                                                                                          • Failed to combine layout source with source., xrefs: 0095A2A4
                                                                                                                          • Failed to get bundle layout directory property., xrefs: 0095A287
                                                                                                                          • Failed to get current process directory., xrefs: 0095A1F3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Find$CloseFileFirstlstrlen
                                                                                                                          • String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
                                                                                                                          • API String ID: 2767606509-3003062821
                                                                                                                          • Opcode ID: 3f19ab5f14f6d883cc7bc08673252ce1080412402efc6c0dd43360a61b6b576b
                                                                                                                          • Instruction ID: 5eed0d9c43d7ff81a8d8514151422f222ccdc50572779a4e25d674fc3acb7798
                                                                                                                          • Opcode Fuzzy Hash: 3f19ab5f14f6d883cc7bc08673252ce1080412402efc6c0dd43360a61b6b576b
                                                                                                                          • Instruction Fuzzy Hash: 0F71AD31D04219AFCF12DFA9D842AEEBBB9AF48315F510629F810B7250E7319D44CB6A
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00944796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 009447BB
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 009447C1
                                                                                                                          • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0094484F
                                                                                                                          Strings
                                                                                                                          • engine.cpp, xrefs: 0094489B
                                                                                                                          • Failed to load UX., xrefs: 00944804
                                                                                                                          • Unexpected return value from message pump., xrefs: 009448A5
                                                                                                                          • Failed to start bootstrapper application., xrefs: 0094481D
                                                                                                                          • wininet.dll, xrefs: 009447EE
                                                                                                                          • Failed to create engine for UX., xrefs: 009447DB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Message$CurrentPeekThread
                                                                                                                          • String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
                                                                                                                          • API String ID: 673430819-2573580774
                                                                                                                          • Opcode ID: 6d8241d0b7a874bb2882f508c00f6e432dccc471be51b556b4b1485bc89afdf2
                                                                                                                          • Instruction ID: ca7ee32605b23ed1639d317e686c609ff6a5f558bfba3409ef024dea4b8adccf
                                                                                                                          • Opcode Fuzzy Hash: 6d8241d0b7a874bb2882f508c00f6e432dccc471be51b556b4b1485bc89afdf2
                                                                                                                          • Instruction Fuzzy Hash: A6418071A00555BFEB14EBA4CC85FBAB7ACEF44718F20062AF905E7391DB35AD0587A0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009550CA Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcessId.KERNEL32(?,00000000,?,?,0098B500), ref: 009550D3
                                                                                                                          • GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 00955171
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0095518A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$CloseCurrentHandle
                                                                                                                          • String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
                                                                                                                          • API String ID: 2815245435-1352204306
                                                                                                                          • Opcode ID: 6cac3455b323357fa3fb578da13d5a32489b5c11231a60dc769c3cf8fa2b3593
                                                                                                                          • Instruction ID: f1c94b767830fa21024d68383a365454a7c39256b4adc5881a160aee5127ca70
                                                                                                                          • Opcode Fuzzy Hash: 6cac3455b323357fa3fb578da13d5a32489b5c11231a60dc769c3cf8fa2b3593
                                                                                                                          • Instruction Fuzzy Hash: 2021AD71D04A0CFFCF11EF99CC51EAEBBB8EF48315B01816AF810A2211D7309E149B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0094D6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,009447FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0094548E,?), ref: 0094D6DA
                                                                                                                          • GetLastError.KERNEL32(?,009447FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0094548E,?,?), ref: 0094D6E7
                                                                                                                          • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0094D71F
                                                                                                                          • GetLastError.KERNEL32(?,009447FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0094548E,?,?), ref: 0094D72B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$AddressLibraryLoadProc
                                                                                                                          • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
                                                                                                                          • API String ID: 1866314245-2276003667
                                                                                                                          • Opcode ID: 08bc446cc5035fb730e925e6fb14857021013a605c101cef384ec216272c5df7
                                                                                                                          • Instruction ID: 52f86652ec9c831bd5017c43b11242f474dd3a5a81ce37a13e5517ea1d61fed1
                                                                                                                          • Opcode Fuzzy Hash: 08bc446cc5035fb730e925e6fb14857021013a605c101cef384ec216272c5df7
                                                                                                                          • Instruction Fuzzy Hash: CA11C47BA82732A7CB316A955C15F1B6A94AF45B25F024525FF11FB380DB20EC0097D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0095492F Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 117fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ReadFile.KERNEL32(00000000,?,00000008,?,00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000001,00000000), ref: 0095495A
                                                                                                                          • GetLastError.KERNEL32 ref: 00954967
                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,00000000), ref: 00954A12
                                                                                                                          • GetLastError.KERNEL32 ref: 00954A1C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastRead
                                                                                                                          • String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$pipe.cpp
                                                                                                                          • API String ID: 1948546556-3912962418
                                                                                                                          • Opcode ID: 24a94dfa827d4f80bcbf227c08c7336cbc578b4f73b11e9c8e3e086030fd93e8
                                                                                                                          • Instruction ID: 4333374b3260ef877398868feab6cda07492e4e2ad2e03da5dfcee4e252c3d85
                                                                                                                          • Opcode Fuzzy Hash: 24a94dfa827d4f80bcbf227c08c7336cbc578b4f73b11e9c8e3e086030fd93e8
                                                                                                                          • Instruction Fuzzy Hash: 9E310932D44229BBDF61DBA68C46FAFF768BB04B2AF108125FD50A6280D7749D8487D4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6CBE1760 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 92registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegOpenKeyExW.KERNEL32(80000000,CLSID\{DE1F9AFB-3771-4B80-9EFA-E68FC3D4A19E},00000000,00020019,?), ref: 6CBE17A6
                                                                                                                          • RegOpenKeyExW.KERNEL32(80000000,CLSID\{DE1F9AFB-3771-4B80-9EFA-E68FC3D4A19E},00000000,00020119,?), ref: 6CBE17D9
                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 6CBE17F6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2896551563.000000006CBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBE0000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2896326088.000000006CBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2896800650.000000006CBF4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2896951107.000000006CBFB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2897035291.000000006CBFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_6cbe0000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Open$Close
                                                                                                                          • String ID: CLSID\{DE1F9AFB-3771-4B80-9EFA-E68FC3D4A19E}$DisableCiqUdf$EnableCiqUdf$Failed to open registry key.$Running detect BA function
                                                                                                                          • API String ID: 3083169812-3375424851
                                                                                                                          • Opcode ID: 7a98416e71ac26505e378f9957bed56d058a8dab4c0b2bf5c204ee9061a1ed00
                                                                                                                          • Instruction ID: c59049befc5fb56212446ed8a98d2ffd5cead361934f1dbd25936168a4508a60
                                                                                                                          • Opcode Fuzzy Hash: 7a98416e71ac26505e378f9957bed56d058a8dab4c0b2bf5c204ee9061a1ed00
                                                                                                                          • Instruction Fuzzy Hash: 2F212676B40250ABC710EBA8CC46F9AB7A4EB48B92F244519FE15AF7C2D721D804C7D6
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0096A271 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 0096A33E
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 0096A348
                                                                                                                          Strings
                                                                                                                          • :, xrefs: 0096A3C1
                                                                                                                          • Failed to clear readonly bit on payload destination path: %ls, xrefs: 0096A377
                                                                                                                          • Failed attempt to download URL: '%ls' to: '%ls', xrefs: 0096A425
                                                                                                                          • download, xrefs: 0096A308
                                                                                                                          • apply.cpp, xrefs: 0096A36C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesErrorFileLast
                                                                                                                          • String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
                                                                                                                          • API String ID: 1799206407-1905830404
                                                                                                                          • Opcode ID: d5bb61c03efa157227e9bbed9f79fe78be2e5f11d9e522a21e20ad3e30423e8a
                                                                                                                          • Instruction ID: a90d1debd33e9c8702f76fd2a38f186bb0a7b57816d3b27a7d126acc75a67acd
                                                                                                                          • Opcode Fuzzy Hash: d5bb61c03efa157227e9bbed9f79fe78be2e5f11d9e522a21e20ad3e30423e8a
                                                                                                                          • Instruction Fuzzy Hash: F7518D71A00219ABDB11DFA9C841EAEB7B8FF54710F14815AE914FB350E775EA40CF92
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0094F812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0094F942
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0094F94F
                                                                                                                          Strings
                                                                                                                          • Failed to read Resume value., xrefs: 0094F8D8
                                                                                                                          • Failed to open registration key., xrefs: 0094F8AB
                                                                                                                          • %ls.RebootRequired, xrefs: 0094F82F
                                                                                                                          • Resume, xrefs: 0094F8B6
                                                                                                                          • Failed to format pending restart registry key to read., xrefs: 0094F846
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close
                                                                                                                          • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
                                                                                                                          • API String ID: 3535843008-3890505273
                                                                                                                          • Opcode ID: 66dfbdc2e5ba1177bbbc1c024d8ab2a3602144c4a9566629e0d613d92d6b24bf
                                                                                                                          • Instruction ID: 81d2f2c266afeac288f9802cf60c48766fed35a3eed549a1a9f985242c47e811
                                                                                                                          • Opcode Fuzzy Hash: 66dfbdc2e5ba1177bbbc1c024d8ab2a3602144c4a9566629e0d613d92d6b24bf
                                                                                                                          • Instruction Fuzzy Hash: 81414A7290021AFFDF129F98C891FADBBB8FB44314F158176E911AB350C375AE459B40
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009569AE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,00956EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 009569BB
                                                                                                                          • GetLastError.KERNEL32(?,00956EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 009569C5
                                                                                                                          • GetExitCodeThread.KERNEL32(00000001,00000000,?,00956EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 00956A04
                                                                                                                          • GetLastError.KERNEL32(?,00956EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 00956A0E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                                                                                                                          • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
                                                                                                                          • API String ID: 3686190907-2546940223
                                                                                                                          • Opcode ID: 9d2bf217fa96bf281d6ae740ee8d694012ba4a20bb266874ceb9674819cb7174
                                                                                                                          • Instruction ID: 2282c0302921add1e0f586f39c8a1d585f929ad9f206c9ab95d8172131436d96
                                                                                                                          • Opcode Fuzzy Hash: 9d2bf217fa96bf281d6ae740ee8d694012ba4a20bb266874ceb9674819cb7174
                                                                                                                          • Instruction Fuzzy Hash: 52118C71744206FBDB10DFA6DD02F7E76ACEB40716F504169BD14EA2A0EB35CE04A764
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0095D437 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000001,0098B500,?,00000001,000000FF,?,?,75C0B390,00000000,00000001,00000000,?,009574E6), ref: 0095D560
                                                                                                                          Strings
                                                                                                                          • elevation.cpp, xrefs: 0095D46B
                                                                                                                          • Failed to elevate., xrefs: 0095D542
                                                                                                                          • Failed to connect to elevated child process., xrefs: 0095D549
                                                                                                                          • UX aborted elevation requirement., xrefs: 0095D475
                                                                                                                          • Failed to create pipe name and client token., xrefs: 0095D4A1
                                                                                                                          • Failed to create pipe and cache pipe., xrefs: 0095D4BD
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseHandle
                                                                                                                          • String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
                                                                                                                          • API String ID: 2962429428-3003415917
                                                                                                                          • Opcode ID: fbf81c1dc1c1c512490092bd491144127d25c042f961a79d25ba42f9c53ec8ed
                                                                                                                          • Instruction ID: 2dfa3f67f9be92199ff25a54dcf97c582ea9f58e03c4e3bd82eda29ed69c2eb1
                                                                                                                          • Opcode Fuzzy Hash: fbf81c1dc1c1c512490092bd491144127d25c042f961a79d25ba42f9c53ec8ed
                                                                                                                          • Instruction Fuzzy Hash: 08319E7264A625BBEB31E6A5CC43FBAB35C9F8073AF104215FD04A71D1EE61AD0883D5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00980523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnterCriticalSection.KERNEL32(009AB5FC,00000000,?,?,?,00954207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009454FA,?), ref: 00980533
                                                                                                                          • CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,009AB5F4,?,00954207,00000000,Setup), ref: 009805D7
                                                                                                                          • GetLastError.KERNEL32(?,00954207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009454FA,?,?,?), ref: 009805E7
                                                                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00954207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009454FA,?), ref: 00980621
                                                                                                                            • Part of subcall function 00942DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00942F09
                                                                                                                          • LeaveCriticalSection.KERNEL32(009AB5FC,?,?,009AB5F4,?,00954207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009454FA,?), ref: 0098067A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
                                                                                                                          • String ID: logutil.cpp
                                                                                                                          • API String ID: 4111229724-3545173039
                                                                                                                          • Opcode ID: 0cb518e11303f70c27aa17f1646bdff93c664e0939ceee327d69f4e8fa20079b
                                                                                                                          • Instruction ID: 25ff017ea0d1bd019d5b36b5cd7d4f57fd7b1c6b0e67e8be2e75e653300b5c60
                                                                                                                          • Opcode Fuzzy Hash: 0cb518e11303f70c27aa17f1646bdff93c664e0939ceee327d69f4e8fa20079b
                                                                                                                          • Instruction Fuzzy Hash: 5331B531D0422AEBDB516F71CD45F6E7A6CAFC1754B414224FA11AB361E770CD24ABE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009832F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00983309
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00983325
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 009833AC
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 009833B7
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: StringVariant$AllocClearFreeInit
                                                                                                                          • String ID: `<u$xmlutil.cpp
                                                                                                                          • API String ID: 760788290-3482516102
                                                                                                                          • Opcode ID: be72c4237be64e83c215f851729f46c360873118216c920327dcfb07c210bb72
                                                                                                                          • Instruction ID: b6091501d61789e4e9377f68ddcb918c45408b4ccd90313bed5d8c4f0c7180e6
                                                                                                                          • Opcode Fuzzy Hash: be72c4237be64e83c215f851729f46c360873118216c920327dcfb07c210bb72
                                                                                                                          • Instruction Fuzzy Hash: FB218631911219EFCB11EF94C848FAEBBB9AF85B15F55815DF905AB320DB319E00D790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00980879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OpenProcessToken.ADVAPI32(?,00000008,?,?,00000000,?,?,?,?,0095831C,00000000), ref: 00980897
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,0095831C,00000000), ref: 009808A1
                                                                                                                          • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0095831C,00000000), ref: 009808D3
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,0095831C,00000000), ref: 009808EC
                                                                                                                          • FindCloseChangeNotification.KERNEL32(?,?,?,?,?,0095831C,00000000), ref: 0098092B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastToken$ChangeCloseFindInformationNotificationOpenProcess
                                                                                                                          • String ID: procutil.cpp
                                                                                                                          • API String ID: 3650908616-1178289305
                                                                                                                          • Opcode ID: 24420a773a3c1c039be461743ab88bdd83e0993a36f2b8498c883001025e01a8
                                                                                                                          • Instruction ID: a51762f8539f107a0f34cfede3ba6365a48d9a9491f48fce6ff4869b355b5c83
                                                                                                                          • Opcode Fuzzy Hash: 24420a773a3c1c039be461743ab88bdd83e0993a36f2b8498c883001025e01a8
                                                                                                                          • Instruction Fuzzy Hash: 8521F632D00229EBD720AF958805A9EBBBCEF80710F154056ED18FB350E3718E04EBD0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00983565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00983574
                                                                                                                          • InterlockedIncrement.KERNEL32(009AB6C8), ref: 00983591
                                                                                                                          • CLSIDFromProgID.OLE32(Msxml2.DOMDocument,009AB6B8,?,?,?,?,?,?), ref: 009835AC
                                                                                                                          • CLSIDFromProgID.OLE32(MSXML.DOMDocument,009AB6B8,?,?,?,?,?,?), ref: 009835B8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FromProg$IncrementInitializeInterlocked
                                                                                                                          • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
                                                                                                                          • API String ID: 2109125048-2356320334
                                                                                                                          • Opcode ID: 16b1accd8ef40cc3a1a8a001c8e5ad5c5107ac304ef3e057c22b0e63bbb828a5
                                                                                                                          • Instruction ID: c8d2da8e69f558010b66bbe5a98320fd257d97dd7669e686e6b070a9249ef778
                                                                                                                          • Opcode Fuzzy Hash: 16b1accd8ef40cc3a1a8a001c8e5ad5c5107ac304ef3e057c22b0e63bbb828a5
                                                                                                                          • Instruction Fuzzy Hash: 8AF0653175523A57D3212B62BD09B1B2EA9EBC2F69F0C4529F808D2354D360CA4187F0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0095E956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DefWindowProcW.USER32(?,00000082,?,?), ref: 0095E985
                                                                                                                          • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0095E994
                                                                                                                          • SetWindowLongW.USER32(?,000000EB,?), ref: 0095E9A8
                                                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 0095E9B8
                                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 0095E9D2
                                                                                                                          • PostQuitMessage.USER32(00000000), ref: 0095EA31
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Long$Proc$MessagePostQuit
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3812958022-0
                                                                                                                          • Opcode ID: 0a84aabed346c70156dcdd5adab3948066bd128105289695eaacde960fe29b47
                                                                                                                          • Instruction ID: e1fff54f2e743951b973310794bfad331b90e9ecee4faa365dee93f9996e49c1
                                                                                                                          • Opcode Fuzzy Hash: 0a84aabed346c70156dcdd5adab3948066bd128105289695eaacde960fe29b47
                                                                                                                          • Instruction Fuzzy Hash: 6E21C135104204BFDF15DF68DC18E6A3B69FF49352F148618FD0AAA2A4C732DE14EB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00981217 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150registrystringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegQueryValueExW.KERNEL32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 0098123F
                                                                                                                          • RegQueryValueExW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,009570E8,00000100,000000B0,00000088,00000410,000002C0), ref: 00981276
                                                                                                                          • lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 0098136E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue$lstrlen
                                                                                                                          • String ID: BundleUpgradeCode$regutil.cpp
                                                                                                                          • API String ID: 3790715954-1648651458
                                                                                                                          • Opcode ID: 3fab6de8c5bb0e2e14e660350035fa5cfeee318a18af472b4a810c0182901b81
                                                                                                                          • Instruction ID: bf6f7a56ef9b1dea61b33fb809dbf81317019038332bce2ebde2e4bbd632a1f5
                                                                                                                          • Opcode Fuzzy Hash: 3fab6de8c5bb0e2e14e660350035fa5cfeee318a18af472b4a810c0182901b81
                                                                                                                          • Instruction Fuzzy Hash: 0F419375A0011AEFDB21EF95C844EAEB7ADEF44710F15416AFD11EB710D6349D02DBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00986067 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • HttpOpenRequestW.WININET(00000078,?,?,00000000,00000000,009AA7C4,-84C00201,00000000), ref: 009860D3
                                                                                                                          • GetLastError.KERNEL32(?,?,00985FD0,00000000,?,00000001), ref: 009860DF
                                                                                                                          • GetLastError.KERNEL32(?,?,00985FD0,00000000,?,00000001), ref: 00986130
                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0098616C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$CloseHandleHttpInternetOpenRequest
                                                                                                                          • String ID: dlutil.cpp
                                                                                                                          • API String ID: 3771303094-2067379296
                                                                                                                          • Opcode ID: e7bfb5ea65512c0dbaf9ae2cc4925d585b58d9be157ee207df1aee1be22dfd03
                                                                                                                          • Instruction ID: f67d0596a4a76b6897e6ea7540954081bb4cdb890903fb7d4a129453994147b5
                                                                                                                          • Opcode Fuzzy Hash: e7bfb5ea65512c0dbaf9ae2cc4925d585b58d9be157ee207df1aee1be22dfd03
                                                                                                                          • Instruction Fuzzy Hash: 4231B537904629A7D7226E958D49F5B7ABDAF81B60F160214FD10AF352D734CD00D7E1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00960A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetFilePointerEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00960B27
                                                                                                                          • GetLastError.KERNEL32(?,?,?), ref: 00960B31
                                                                                                                          Strings
                                                                                                                          • cabextract.cpp, xrefs: 00960B55
                                                                                                                          • Invalid seek type., xrefs: 00960ABD
                                                                                                                          • Failed to move file pointer 0x%x bytes., xrefs: 00960B62
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastPointer
                                                                                                                          • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
                                                                                                                          • API String ID: 2976181284-417918914
                                                                                                                          • Opcode ID: b9587307e9d3cfb970b725ecd370eb45a84b481e544a547331eeb1e5d8e8329e
                                                                                                                          • Instruction ID: 686b5d5cb455524810fcaa46eccafa5ef67c61ab472244387c3ceb776a4b7409
                                                                                                                          • Opcode Fuzzy Hash: b9587307e9d3cfb970b725ecd370eb45a84b481e544a547331eeb1e5d8e8329e
                                                                                                                          • Instruction Fuzzy Hash: 5531A032A4021AEFCF10DFA8D885E6EB769FB84764B148615F92497350D770ED108BD0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0098433D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00984440: FindFirstFileW.KERNEL32(?,?,?,00000000,?), ref: 0098447B
                                                                                                                            • Part of subcall function 00984440: FindClose.KERNEL32(00000000), ref: 00984487
                                                                                                                          • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00984430
                                                                                                                            • Part of subcall function 00980F6C: RegOpenKeyExW.KERNEL32(00000000,?,00000000,00000000,00000001,009AAAA0,00000000,?,009857E1,80000002,00000000,00020019,?,SOFTWARE\Policies\,00000000,00000000), ref: 00980F80
                                                                                                                            • Part of subcall function 00981217: RegQueryValueExW.KERNEL32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 0098123F
                                                                                                                            • Part of subcall function 00981217: RegQueryValueExW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,009570E8,00000100,000000B0,00000088,00000410,000002C0), ref: 00981276
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseFindQueryValue$FileFirstOpen
                                                                                                                          • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
                                                                                                                          • API String ID: 3397690329-3978359083
                                                                                                                          • Opcode ID: 928972f3c350dce432552a3b0603eacb9745f2a829161dc3e67181a320c2d784
                                                                                                                          • Instruction ID: b0583b663df9a594a95117b44f0070391ef99ff2da3be244cfd8c93c62622bcb
                                                                                                                          • Opcode Fuzzy Hash: 928972f3c350dce432552a3b0603eacb9745f2a829161dc3e67181a320c2d784
                                                                                                                          • Instruction Fuzzy Hash: 9F31823290021AEBDF21BFA5CC41ABEB7B9EF40754F65817AF904A6261E3319E40DB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00944115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateDirectoryW.KERNEL32(00000003,0000005C,00000001,00000000,?,00984292,00000001,00000000,?,0098432E,00000003,00000001,00000001,00000000,00000000,00000000), ref: 00944123
                                                                                                                          • GetLastError.KERNEL32(?,00984292,00000001,00000000,?,0098432E,00000003,00000001,00000001,00000000,00000000,00000000,?,0095A763,?,00000000), ref: 00944131
                                                                                                                          • CreateDirectoryW.KERNEL32(00000003,0000005C,00000000,?,00984292,00000001,00000000,?,0098432E,00000003,00000001,00000001,00000000,00000000,00000000), ref: 0094419A
                                                                                                                          • GetLastError.KERNEL32(?,00984292,00000001,00000000,?,0098432E,00000003,00000001,00000001,00000000,00000000,00000000,?,0095A763,?,00000000), ref: 009441A4
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateDirectoryErrorLast
                                                                                                                          • String ID: dirutil.cpp
                                                                                                                          • API String ID: 1375471231-2193988115
                                                                                                                          • Opcode ID: 81e49d5e880416855c01fc6ce452554d0c3b2950dce4c6d442eacbc73e654d03
                                                                                                                          • Instruction ID: 9b4c728058ef7b9b55b05811bb1c6a0e1cf770da27aa494033f7e413cdd34ef5
                                                                                                                          • Opcode Fuzzy Hash: 81e49d5e880416855c01fc6ce452554d0c3b2950dce4c6d442eacbc73e654d03
                                                                                                                          • Instruction Fuzzy Hash: 1F11247661C33697E7312AA14C84F7BA658EF7DB61F154021FD05EB240E3648C8093D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0098618B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • HttpSendRequestW.WININET(00000078,00000000,00000000,00000000,00000000), ref: 009861A9
                                                                                                                          • GetLastError.KERNEL32(?,?,00985FEF,?,00000000,?,00000000,?,00000000,?,00000001,00000078), ref: 009861B3
                                                                                                                          Strings
                                                                                                                          • Failed to send request to URL: %ls, trying to process HTTP status code anyway., xrefs: 009861CA
                                                                                                                          • Unknown HTTP status code %d, returned from URL: %ls, xrefs: 00986326
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorHttpLastRequestSend
                                                                                                                          • String ID: Failed to send request to URL: %ls, trying to process HTTP status code anyway.$Unknown HTTP status code %d, returned from URL: %ls
                                                                                                                          • API String ID: 4088757929-4203213909
                                                                                                                          • Opcode ID: 94d93934682df9757979fd417f3bb9268c3df23e845b8d3417b2ebb4c478c5b4
                                                                                                                          • Instruction ID: a3ee764d2ea5d6b5683009c937b0fd61f721dc8cf12f8536a4eec3ee83c815a4
                                                                                                                          • Opcode Fuzzy Hash: 94d93934682df9757979fd417f3bb9268c3df23e845b8d3417b2ebb4c478c5b4
                                                                                                                          • Instruction Fuzzy Hash: 7D412633A441169BDB25AE68CD0AB7E7768EB51720F1442AAFC01FF394C269DD0097E5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00953AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00980F6C: RegOpenKeyExW.KERNEL32(00000000,?,00000000,00000000,00000001,009AAAA0,00000000,?,009857E1,80000002,00000000,00020019,?,SOFTWARE\Policies\,00000000,00000000), ref: 00980F80
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00953FB5,feclient.dll,?,00000000,?,?,?,00944B12), ref: 00953B42
                                                                                                                            • Part of subcall function 009810B5: RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,?,00000000,00000002,00000001,00000000,00000000,00000000,?,00000000), ref: 0098112B
                                                                                                                            • Part of subcall function 009810B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00981163
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue$CloseOpen
                                                                                                                          • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
                                                                                                                          • API String ID: 1586453840-3596319545
                                                                                                                          • Opcode ID: ea5f7779aaa617fb15a49ec5cae7224303ec0b926b6029674023fe179f5e8f6e
                                                                                                                          • Instruction ID: 8bda87291b99654d9b3299a590a02d96f56a738da800e4bd72db94f995288918
                                                                                                                          • Opcode Fuzzy Hash: ea5f7779aaa617fb15a49ec5cae7224303ec0b926b6029674023fe179f5e8f6e
                                                                                                                          • Instruction Fuzzy Hash: 4811E632B40208BBDB21DF97DC86EBAB7BCEB40782F408065F9009B150D2719F85D710
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00980764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenA.KERNEL32(0095E93B,00000000,00000000,?,?,?,00980013,0095E93B,0095E93B,?,00000000,0000FDE9,?,0095E93B,8000FFFF,Unexpected return value from message pump.), ref: 00980776
                                                                                                                          • WriteFile.KERNEL32(0000021C,00000000,00000000,?,00000000,?,?,00980013,0095E93B,0095E93B,?,00000000,0000FDE9,?,0095E93B,8000FFFF), ref: 009807B2
                                                                                                                          • GetLastError.KERNEL32(?,?,00980013,0095E93B,0095E93B,?,00000000,0000FDE9,?,0095E93B,8000FFFF,Unexpected return value from message pump.), ref: 009807BC
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastWritelstrlen
                                                                                                                          • String ID: logutil.cpp
                                                                                                                          • API String ID: 606256338-3545173039
                                                                                                                          • Opcode ID: eb52b456720d6f2d06bae182631127a12b597b7f448a58b573db15c2629c8e1f
                                                                                                                          • Instruction ID: 781f59a386c2b5f8af7c3d1487b46059444a701f75e0bc50ee57df2898e4e1cc
                                                                                                                          • Opcode Fuzzy Hash: eb52b456720d6f2d06bae182631127a12b597b7f448a58b573db15c2629c8e1f
                                                                                                                          • Instruction Fuzzy Hash: 63118A73A45525AB8310AA65CD44EABBA6CFBC5B60B114214FD01EB340E770AD04DBE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0094120A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0094523F,00000000,?), ref: 00941248
                                                                                                                          • GetLastError.KERNEL32(?,?,?,0094523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00941252
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ArgvCommandErrorLastLine
                                                                                                                          • String ID: apputil.cpp$ignored
                                                                                                                          • API String ID: 3459693003-568828354
                                                                                                                          • Opcode ID: a6125e455aa689529864e2ed4e0c13780ce8f525303393bf84a7a207cccf506e
                                                                                                                          • Instruction ID: cf4b5ee8043f0c055ca895396657158e41c4c584ac5de9593ed7d118344675ac
                                                                                                                          • Opcode Fuzzy Hash: a6125e455aa689529864e2ed4e0c13780ce8f525303393bf84a7a207cccf506e
                                                                                                                          • Instruction Fuzzy Hash: 9E118C76A11229EB8B21DF99C805EAFBBACAF84B50B010159FD14E7310E7709E40DBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009609EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0096140C: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000,?,00960A19,?,?,?), ref: 00961434
                                                                                                                            • Part of subcall function 0096140C: GetLastError.KERNEL32(?,00960A19,?,?,?), ref: 0096143E
                                                                                                                          • ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?), ref: 00960A27
                                                                                                                          • GetLastError.KERNEL32 ref: 00960A31
                                                                                                                          Strings
                                                                                                                          • cabextract.cpp, xrefs: 00960A55
                                                                                                                          • Failed to read during cabinet extraction., xrefs: 00960A5F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLast$PointerRead
                                                                                                                          • String ID: Failed to read during cabinet extraction.$cabextract.cpp
                                                                                                                          • API String ID: 2170121939-2426083571
                                                                                                                          • Opcode ID: 901b67cd85bbb1a26e39d0d048872a7c02cae78681442e195fe258bb7140b371
                                                                                                                          • Instruction ID: ef920864ad0ed4d80dbc18f3eec462076c93604d3a1c62a7c37360dd02ddcf5a
                                                                                                                          • Opcode Fuzzy Hash: 901b67cd85bbb1a26e39d0d048872a7c02cae78681442e195fe258bb7140b371
                                                                                                                          • Instruction Fuzzy Hash: BD118E37A40229BBCB219F95DD48E9B7B68FF857A0B114155FE14A7290D7309910D7E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0096140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000,?,00960A19,?,?,?), ref: 00961434
                                                                                                                          • GetLastError.KERNEL32(?,00960A19,?,?,?), ref: 0096143E
                                                                                                                          Strings
                                                                                                                          • Failed to move to virtual file pointer., xrefs: 0096146C
                                                                                                                          • cabextract.cpp, xrefs: 00961462
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastPointer
                                                                                                                          • String ID: Failed to move to virtual file pointer.$cabextract.cpp
                                                                                                                          • API String ID: 2976181284-3005670968
                                                                                                                          • Opcode ID: 867b7dca1abd6a0eb7b303e946721393152cf198bad502a3f4d0a14e74984418
                                                                                                                          • Instruction ID: 7ca1b82fc188daeb0be3719ecbc6a231ee943e4bcc312249895fa4300533fada
                                                                                                                          • Opcode Fuzzy Hash: 867b7dca1abd6a0eb7b303e946721393152cf198bad502a3f4d0a14e74984418
                                                                                                                          • Instruction Fuzzy Hash: 2101843754063A778B215A968C04E8BBB19EF407B07198126FD285B261DB21D810D7D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0095F2D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 0095F2EE
                                                                                                                          • GetLastError.KERNEL32 ref: 0095F2F8
                                                                                                                          Strings
                                                                                                                          • Failed to post plan message., xrefs: 0095F326
                                                                                                                          • EngineForApplication.cpp, xrefs: 0095F31C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastMessagePostThread
                                                                                                                          • String ID: EngineForApplication.cpp$Failed to post plan message.
                                                                                                                          • API String ID: 2609174426-2952114608
                                                                                                                          • Opcode ID: c8e12073e2801f79d742808495df66bc34446541a0a09c65559d21fe02a0b9d0
                                                                                                                          • Instruction ID: 78922f6217e7341758493ff73dd14b3d4d9d89b3e5a44a4ff048729b4a0c61de
                                                                                                                          • Opcode Fuzzy Hash: c8e12073e2801f79d742808495df66bc34446541a0a09c65559d21fe02a0b9d0
                                                                                                                          • Instruction Fuzzy Hash: 12F0A7336552356BE6206AAA9C09E4BBF88EF44BB1B024025FE54AF291E6609C0483D4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009607B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetEvent.KERNEL32(?,00000000,?,00961717,00000000,00000000,?,0094C287,00000000,?,?,0096ADE3,?,00000000,?,?), ref: 009607BF
                                                                                                                          • GetLastError.KERNEL32(?,00961717,00000000,00000000,?,0094C287,00000000,?,?,0096ADE3,?,00000000,?,?,?,00000000), ref: 009607C9
                                                                                                                          Strings
                                                                                                                          • cabextract.cpp, xrefs: 009607ED
                                                                                                                          • Failed to set begin operation event., xrefs: 009607F7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorEventLast
                                                                                                                          • String ID: Failed to set begin operation event.$cabextract.cpp
                                                                                                                          • API String ID: 3848097054-4159625223
                                                                                                                          • Opcode ID: 0a54956dd2ce927f46c5f6ebc598caaa07628d3ab40efb5496b62942f65617da
                                                                                                                          • Instruction ID: 38f58e05d9119d23788ec1a78891a266b27ea9c9967506fa19b8b5c643e974e9
                                                                                                                          • Opcode Fuzzy Hash: 0a54956dd2ce927f46c5f6ebc598caaa07628d3ab40efb5496b62942f65617da
                                                                                                                          • Instruction Fuzzy Hash: DBF0E537A4263567962066A95D06B8F7A989F84BB0B160125FE01BB350EA15AC10C7E5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6CBE98E8 Relevance: 6.2, APIs: 4, Instructions: 193memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,?,?,?,6CBE92AD,00000001,00000364,0000000C,000000FF,?,?,?,6CBE96D0,6CBE97C1,?), ref: 6CBE987A
                                                                                                                          • _free.LIBCMT ref: 6CBE9A48
                                                                                                                          • _free.LIBCMT ref: 6CBE9A70
                                                                                                                          • _free.LIBCMT ref: 6CBE9A85
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2896551563.000000006CBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBE0000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2896326088.000000006CBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2896800650.000000006CBF4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2896951107.000000006CBFB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2897035291.000000006CBFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_6cbe0000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3033488037-0
                                                                                                                          • Opcode ID: 5ba558480ffc8e8c67ff99c693f9c21b7c3da42df18cd55a7de41e9911c9b138
                                                                                                                          • Instruction ID: 27391af4d1e0c1e733747202d39c918310c4fc5fbadc3f9ec32b8ea351467ee9
                                                                                                                          • Opcode Fuzzy Hash: 5ba558480ffc8e8c67ff99c693f9c21b7c3da42df18cd55a7de41e9911c9b138
                                                                                                                          • Instruction Fuzzy Hash: 58519E75E042599FDB14CFA9C8805EDFBF4EF4C794B2882AAD814E7700E7359A49CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6CBE9264 Relevance: 6.1, APIs: 4, Instructions: 65COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(?,?,?,6CBE96D0,6CBE97C1,?,?,6CBE18ED,?,?,6CBE18A4,0000000C,?), ref: 6CBE9269
                                                                                                                          • _free.LIBCMT ref: 6CBE92C4
                                                                                                                          • _free.LIBCMT ref: 6CBE92FA
                                                                                                                          • SetLastError.KERNEL32(00000000,0000000C,000000FF,?,?,?,6CBE96D0,6CBE97C1,?,?,6CBE18ED,?,?,6CBE18A4,0000000C,?), ref: 6CBE9305
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2896551563.000000006CBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBE0000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2896326088.000000006CBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2896800650.000000006CBF4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2896951107.000000006CBFB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2897035291.000000006CBFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_6cbe0000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2283115069-0
                                                                                                                          • Opcode ID: d06ccb7ffa4c4688c203412254124e235257f95add0b57c923e92f740c84f1d2
                                                                                                                          • Instruction ID: cc11909b78ce2920e11a1cb853c194c6bba4f83ea897aa02851ff2d91c1eb7da
                                                                                                                          • Opcode Fuzzy Hash: d06ccb7ffa4c4688c203412254124e235257f95add0b57c923e92f740c84f1d2
                                                                                                                          • Instruction Fuzzy Hash: 75010831B442956AEF1115B56CC4EDF3A6DDB0EEFCB180225F13486FE0EB148C0D8665
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009557BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000), ref: 009557D9
                                                                                                                          • CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 00955833
                                                                                                                          Strings
                                                                                                                          • Failed to initialize COM on cache thread., xrefs: 009557E5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InitializeUninitialize
                                                                                                                          • String ID: Failed to initialize COM on cache thread.
                                                                                                                          • API String ID: 3442037557-3629645316
                                                                                                                          • Opcode ID: 789ae4930a7428b131416104fa1fcf7deccdb012dfa9a74cb7ff2baa702a350f
                                                                                                                          • Instruction ID: 1a97bc64df7b3fc73bdaf2f892908139ef55685fe6f9a2d81b10d1ef9808ff51
                                                                                                                          • Opcode Fuzzy Hash: 789ae4930a7428b131416104fa1fcf7deccdb012dfa9a74cb7ff2baa702a350f
                                                                                                                          • Instruction Fuzzy Hash: D1016D72601619BFCB059FA9D884EDAFBADFF48354B018126FA19C7221DB30AD54DB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00945123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00941104,?,?,00000000), ref: 00945142
                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00941104,?,?,00000000), ref: 00945172
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CompareStringlstrlen
                                                                                                                          • String ID: burn.clean.room
                                                                                                                          • API String ID: 1433953587-3055529264
                                                                                                                          • Opcode ID: 1de2a40b1a74d191d647558e2a1768c66f27cd8743a8ea391a04dbfbbab6898f
                                                                                                                          • Instruction ID: 336eed6779decd206155eac3c8934d62161f3f4b9737926a175d1d30e14e5ff4
                                                                                                                          • Opcode Fuzzy Hash: 1de2a40b1a74d191d647558e2a1768c66f27cd8743a8ea391a04dbfbbab6898f
                                                                                                                          • Instruction Fuzzy Hash: A4016D7261C6256F87348B88AD88E73BBADEF1A7A0B154116F909C7621D370DC41DBE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0098490D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,00000000,?,00986376,?,?,?,00000000,00000000,00000001), ref: 00984925
                                                                                                                          • GetLastError.KERNEL32(?,00986376,?,?,?,00000000,00000000,00000001,00000000,00000000,00000000,?,00985C09,?,?,?), ref: 0098492F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLastPointer
                                                                                                                          • String ID: fileutil.cpp
                                                                                                                          • API String ID: 2976181284-2967768451
                                                                                                                          • Opcode ID: 7c446634241843804a0d1b1ccc4e9af44779f97b577ab83b67aab0128985bc58
                                                                                                                          • Instruction ID: 8eefeec243c7f2dded17679589b585dbb9027005bb5bafaca41163b7bb959a40
                                                                                                                          • Opcode Fuzzy Hash: 7c446634241843804a0d1b1ccc4e9af44779f97b577ab83b67aab0128985bc58
                                                                                                                          • Instruction Fuzzy Hash: 8EF08176A0412AAB9B209F95DC05AAB7FA8EF04B60B014154FD54AB360E732DC10D7E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00943838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00943877
                                                                                                                          • GetLastError.KERNEL32 ref: 00943881
                                                                                                                          • LoadLibraryW.KERNEL32(?,?,00000104,?), ref: 009438EA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DirectoryErrorLastLibraryLoadSystem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1230559179-0
                                                                                                                          • Opcode ID: 26a828a3987edf7a3e90d0b00af728d93c36f84186c5875536edf21a0d4ec5de
                                                                                                                          • Instruction ID: b4b59485ab7db4dcc153d609503c708bc539018acd3ad0ea3d9d4bfad024c473
                                                                                                                          • Opcode Fuzzy Hash: 26a828a3987edf7a3e90d0b00af728d93c36f84186c5875536edf21a0d4ec5de
                                                                                                                          • Instruction Fuzzy Hash: 5421F5B2D0133EA7DB209B749C49F9AB7AC9F44710F1541A1BE14EB341EA70DE408BD0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009761E2 Relevance: 3.8, APIs: 3, Instructions: 53COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(?,00000100,00000000,00973F01,00943C56,75C0B390,00000000,?), ref: 009761E7
                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00976250
                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00976259
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1452528299-0
                                                                                                                          • Opcode ID: 63d2105bf9239affe919945e7aefe2b3112133f58df77fcea4ca18f29ef3043b
                                                                                                                          • Instruction ID: 57b5829d2826a8fd377c735ed5df3401d7d0ad045cd5825eed99650a0852f743
                                                                                                                          • Opcode Fuzzy Hash: 63d2105bf9239affe919945e7aefe2b3112133f58df77fcea4ca18f29ef3043b
                                                                                                                          • Instruction Fuzzy Hash: CB01D637248E01A7866236256C49E2F2A5D9FD2771726C125F63CD2253EFA488015260
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0094F755 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00980F6C: RegOpenKeyExW.KERNEL32(00000000,?,00000000,00000000,00000001,009AAAA0,00000000,?,009857E1,80000002,00000000,00020019,?,SOFTWARE\Policies\,00000000,00000000), ref: 00980F80
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,00957D59,?,?,?), ref: 0094F7B9
                                                                                                                            • Part of subcall function 00981026: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000078,0098655B,00000000,?,?,?,00985837,00000000,?,0098655B,00000078), ref: 0098104B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                          • String ID: Installed
                                                                                                                          • API String ID: 3677997916-3662710971
                                                                                                                          • Opcode ID: 2caa1b701df17cad706b2d7d4c23e3e66d2e9c4f504f76e785e206fbb6f3032f
                                                                                                                          • Instruction ID: 9bca869dc8c7e2df372232b0af7421d17a05adafaec98b5ea30dd03fb571d3aa
                                                                                                                          • Opcode Fuzzy Hash: 2caa1b701df17cad706b2d7d4c23e3e66d2e9c4f504f76e785e206fbb6f3032f
                                                                                                                          • Instruction Fuzzy Hash: 9B014F36921219EFCB11DB94CC56FDEBBBCEF04711F1141A5E900A7250D7759E509790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00989185 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,000000B0,00000088,00000410,000002C0), ref: 009891DB
                                                                                                                            • Part of subcall function 00980F6C: RegOpenKeyExW.KERNEL32(00000000,?,00000000,00000000,00000001,009AAAA0,00000000,?,009857E1,80000002,00000000,00020019,?,SOFTWARE\Policies\,00000000,00000000), ref: 00980F80
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseOpen
                                                                                                                          • String ID: %ls%ls\%ls\%ls
                                                                                                                          • API String ID: 47109696-1267659288
                                                                                                                          • Opcode ID: 5b303228feb612305fa59c9ef7e1faece4a3d2ed281a21d6aaa9c7c99d99fda7
                                                                                                                          • Instruction ID: 8e9981255bc2dc59daebfb3f8de1446b82d8e2c97d3bd36602ca301a18857e5a
                                                                                                                          • Opcode Fuzzy Hash: 5b303228feb612305fa59c9ef7e1faece4a3d2ed281a21d6aaa9c7c99d99fda7
                                                                                                                          • Instruction Fuzzy Hash: 95016D3281821CFFDF22AF90DD0ABEEBB79EB04315F144094F90066260D3765B65EB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0097F8FD Relevance: 3.0, APIs: 2, Instructions: 43stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(00000000,00000000,?,?,?,?,0095D3E5,00000001,00000000,?,-00000001,?,?,00000000,00000001), ref: 0097F907
                                                                                                                          • _memcpy_s.LIBCMT ref: 0097F949
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _memcpy_slstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2392212498-0
                                                                                                                          • Opcode ID: f803c2aba2cfdb8892eaaed7915b7af3dd053af0735384ec2c7dd10233ee1903
                                                                                                                          • Instruction ID: 2e79c6b5a253ffcd5268f9d1d474e0269219a7dfcf9bd41cfbee116c61fbcd97
                                                                                                                          • Opcode Fuzzy Hash: f803c2aba2cfdb8892eaaed7915b7af3dd053af0735384ec2c7dd10233ee1903
                                                                                                                          • Instruction Fuzzy Hash: 0E016D76600209AFDB10CF49CC95D5ABBF9FF99310710446DF98597311E671EE10DB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0094394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetProcessHeap.KERNEL32(?,?,?,00942274,?,00000001,75C0B390,8000FFFF,?,?,00980267,?,?,00000000,00000000,8000FFFF), ref: 00943960
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,00942274,?,00000001,75C0B390,8000FFFF,?,?,00980267,?,?,00000000,00000000,8000FFFF), ref: 00943967
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$AllocateProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1357844191-0
                                                                                                                          • Opcode ID: bf17386f691d48ec27383977e5a3a4de6a7c1cd416cd5b877cd50334bc6937da
                                                                                                                          • Instruction ID: 7293531059f252e66316bb74a4c43822de4fc719e985bdc29c98948fb78ea866
                                                                                                                          • Opcode Fuzzy Hash: bf17386f691d48ec27383977e5a3a4de6a7c1cd416cd5b877cd50334bc6937da
                                                                                                                          • Instruction Fuzzy Hash: 1BC012321AC20CA7CB005FF4DC0DC56379CB714A027088400B505C6220C738E0109760
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009835C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 009835F8
                                                                                                                            • Part of subcall function 0098304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00983609,00000000,?,00000000), ref: 00983069
                                                                                                                            • Part of subcall function 0098304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0096C025,?,00945405,?,00000000,?), ref: 00983075
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorHandleInitLastModuleVariant
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 52713655-0
                                                                                                                          • Opcode ID: a07136ae3d235e5a8fb66037420e39af72a4ab2adb66de52df7e5fc3082bcf36
                                                                                                                          • Instruction ID: 882bb61ae57e9d76b45a8fc9f6e64a3bb6fae7befe37b01b22a2329ec4e2ce7b
                                                                                                                          • Opcode Fuzzy Hash: a07136ae3d235e5a8fb66037420e39af72a4ab2adb66de52df7e5fc3082bcf36
                                                                                                                          • Instruction Fuzzy Hash: 17313076D01229AFCB11DFA8C885ADEB7F8EF08710F01856AED15BB311E6759D008BA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009891FC Relevance: 1.6, APIs: 1, Instructions: 82registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00988E44: lstrlenW.KERNEL32(00000100,?,?,?,00989217,000002C0,00000100,00000100,00000100,?,?,?,00967D87,?,?,000001BC), ref: 00988E69
                                                                                                                          • RegCloseKey.ADVAPI32(000002C0,000002C0,00000100,00000100,00000100,?,?,?,00967D87,?,?,000001BC,00000000,00000000,00000000,00000100), ref: 009892B4
                                                                                                                            • Part of subcall function 00980F6C: RegOpenKeyExW.KERNEL32(00000000,?,00000000,00000000,00000001,009AAAA0,00000000,?,009857E1,80000002,00000000,00020019,?,SOFTWARE\Policies\,00000000,00000000), ref: 00980F80
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseOpenlstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 514153755-0
                                                                                                                          • Opcode ID: 5f39356fd765a3ce63e62e9f28f2bba77309f256f5b11d9c06dc6d2b1e0163fc
                                                                                                                          • Instruction ID: 76f9fca6793925aef8a9339ec0d7282f571958451d9d5dda417c393ce918b857
                                                                                                                          • Opcode Fuzzy Hash: 5f39356fd765a3ce63e62e9f28f2bba77309f256f5b11d9c06dc6d2b1e0163fc
                                                                                                                          • Instruction Fuzzy Hash: 98212F33C10129BB8F22BEA4CC419AEBAB9EF84750B194365FD51B6225D6324E50EBD0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00985870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegCloseKey.ADVAPI32(?,00000000,?,009AAAA0,00000000,?,?,?,00958B19,WiX\Burn,PackageCache,00000000,009AAAA0,00000000,00000000,?), ref: 009858CA
                                                                                                                            • Part of subcall function 009810B5: RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,?,00000000,00000002,00000001,00000000,00000000,00000000,?,00000000), ref: 0098112B
                                                                                                                            • Part of subcall function 009810B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00981163
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue$Close
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1979452859-0
                                                                                                                          • Opcode ID: f114215c8be01eaf1754bd85627ffb5b439843c81dd66c899e47b406df7c2b49
                                                                                                                          • Instruction ID: 9ea237311fe131528de3955a9b987118e956ae5a063cc91bccb9414ddabb4fb9
                                                                                                                          • Opcode Fuzzy Hash: f114215c8be01eaf1754bd85627ffb5b439843c81dd66c899e47b406df7c2b49
                                                                                                                          • Instruction Fuzzy Hash: 3611703680062AEFCB21BE948941AAEBB6CEF44360B26417AED4267311D7354E54D7D1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009857FA Relevance: 1.5, APIs: 1, Instructions: 48registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000078,00000000,00000000,00000000,?,?,?,0098655B,WiX\Burn,DownloadTimeout,00000078), ref: 00985851
                                                                                                                            • Part of subcall function 00981026: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000078,0098655B,00000000,?,?,?,00985837,00000000,?,0098655B,00000078), ref: 0098104B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseQueryValue
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3356406503-0
                                                                                                                          • Opcode ID: 0f8d5baaf239a981446d19d3731e63ba862afebc5dd96054dd277bb082cfbd87
                                                                                                                          • Instruction ID: 673938d284e95ac912d2a8e82d30cbbd13983a8341674926b7a327b820716234
                                                                                                                          • Opcode Fuzzy Hash: 0f8d5baaf239a981446d19d3731e63ba862afebc5dd96054dd277bb082cfbd87
                                                                                                                          • Instruction Fuzzy Hash: E201A232C00538EBCB22BE98C949BAEBBADDB44721F164166FD10A7310D3364D54D7D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6CBE9839 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,?,?,?,6CBE92AD,00000001,00000364,0000000C,000000FF,?,?,?,6CBE96D0,6CBE97C1,?), ref: 6CBE987A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2896551563.000000006CBE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CBE0000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2896326088.000000006CBE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2896800650.000000006CBF4000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2896951107.000000006CBFB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2897035291.000000006CBFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_6cbe0000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1279760036-0
                                                                                                                          • Opcode ID: 182ce4d558adeeb0cffe7eeb89ec50d1021285d222bc15c33ea950508a5d6310
                                                                                                                          • Instruction ID: 5a862b39395308ceca1ec95556f45218db0b447d315895460daa2b7cbce53bdc
                                                                                                                          • Opcode Fuzzy Hash: 182ce4d558adeeb0cffe7eeb89ec50d1021285d222bc15c33ea950508a5d6310
                                                                                                                          • Instruction Fuzzy Hash: 23F0BB31E415A45BEB251A765804BCA3758EB89FE5B104125EC14D6EA0DB20D40D45A2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00975305 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00976213,00000001,00000364), ref: 00975346
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1279760036-0
                                                                                                                          • Opcode ID: 8e099924e533cb628077f0ce213e180d49807799b11de2c6ad47cbd0bd959ffc
                                                                                                                          • Instruction ID: 2043ee66ebb5e4252ebaf159060aebd21f2359b5a477d18511a025ba4552f21b
                                                                                                                          • Opcode Fuzzy Hash: 8e099924e533cb628077f0ce213e180d49807799b11de2c6ad47cbd0bd959ffc
                                                                                                                          • Instruction Fuzzy Hash: 5CF0B433604A25E7DBA11A318C05B5A774CAF817E0B1AD525B81CE61B1CBF0DC0096E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009434B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?,?,00000104,00000000,?,00958BD3,0000001C,?,00000000,00000000,?), ref: 009434D5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FolderPath
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1514166925-0
                                                                                                                          • Opcode ID: 6a7ae599b8a7ba35f69e255312adc95a7209463064d975ada54495634e69ad26
                                                                                                                          • Instruction ID: 7619d8f08272b5c41aa38000cb2a9cb737105a8a6ae478a52e6f96ad549ef785
                                                                                                                          • Opcode Fuzzy Hash: 6a7ae599b8a7ba35f69e255312adc95a7209463064d975ada54495634e69ad26
                                                                                                                          • Instruction Fuzzy Hash: A0E012723111287BE6022F715C05EEB7B5CEF453547008051BE40D6120D762D55097B0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009441E7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFileAttributesW.KERNEL32(00000000,00000000,?,0095A42F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,?), ref: 009441F0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AttributesFile
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3188754299-0
                                                                                                                          • Opcode ID: e2cc72f044ecc4b980ea1d8b2c600bc7d4a9b392de8986b29e43f53a3dc81ebf
                                                                                                                          • Instruction ID: c80996874197e636d5c869047b459c800bfff7bf0e5abe0c60003444eb868f3e
                                                                                                                          • Opcode Fuzzy Hash: e2cc72f044ecc4b980ea1d8b2c600bc7d4a9b392de8986b29e43f53a3dc81ebf
                                                                                                                          • Instruction Fuzzy Hash: 72D05B322055285757285EF99804A6A7F9DEF027757454215FE75DB190C3715C12C7D0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 00941361 Relevance: 1.3, APIs: 1, Instructions: 88stringCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00943BD3: GetProcessHeap.KERNEL32(00000000,?,?,009421CC,?,75C0B390,8000FFFF,?,?,00980267,?,?,00000000,00000000,8000FFFF), ref: 00943BDB
                                                                                                                            • Part of subcall function 00943BD3: HeapSize.KERNEL32(00000000,?,009421CC,?,75C0B390,8000FFFF,?,?,00980267,?,?,00000000,00000000,8000FFFF), ref: 00943BE2
                                                                                                                          • lstrlenW.KERNEL32(?,?,75C0B390,00000000,?), ref: 0094139C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$ProcessSizelstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3492610842-0
                                                                                                                          • Opcode ID: 240aff884d0faf779378a195c75e62d3d6aa97d96f0bb763d51a8222dded9ebe
                                                                                                                          • Instruction ID: c7d58c3d8c155567e9a8fc165dceae68a852c4da43bff4b1a3eb968fd445da32
                                                                                                                          • Opcode Fuzzy Hash: 240aff884d0faf779378a195c75e62d3d6aa97d96f0bb763d51a8222dded9ebe
                                                                                                                          • Instruction Fuzzy Hash: F521F436E00218AFCB128F69CC40FADBBB9EF84360F158165ED50AB360D7359D91DB80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 009414B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(?,00000000,00000000,?,?,009421A8,00000000,?,00000000,00000000,?,00958C2B,00000000,00C941B0,00000000,00000000), ref: 009414E8
                                                                                                                            • Part of subcall function 00943BD3: GetProcessHeap.KERNEL32(00000000,?,?,009421CC,?,75C0B390,8000FFFF,?,?,00980267,?,?,00000000,00000000,8000FFFF), ref: 00943BDB
                                                                                                                            • Part of subcall function 00943BD3: HeapSize.KERNEL32(00000000,?,009421CC,?,75C0B390,8000FFFF,?,?,00980267,?,?,00000000,00000000,8000FFFF), ref: 00943BE2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000001.00000002.2883260240.0000000000941000.00000020.00000001.01000000.00000005.sdmp, Offset: 00940000, based on PE: true
                                                                                                                          • Associated: 00000001.00000002.2882942936.0000000000940000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883756918.000000000098B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2883978416.00000000009AA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          • Associated: 00000001.00000002.2884234589.00000000009AD000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_1_2_940000_SPCapIQProOffice-1.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$ProcessSizelstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3492610842-0
                                                                                                                          • Opcode ID: c4510886207ff71e6a6c7bce7f67669da551dd3dc09a8a35e2cd0bc863ebf49b
                                                                                                                          • Instruction ID: 9dcf3974794bebbcd15c60a9544b2b4905792e358ef11cbe880fc60a0c4c8fe4
                                                                                                                          • Opcode Fuzzy Hash: c4510886207ff71e6a6c7bce7f67669da551dd3dc09a8a35e2cd0bc863ebf49b
                                                                                                                          • Instruction Fuzzy Hash: 4A012D3320021DABCF215E64DCC4FDA77699F84750F114215FA169B261D7359C808BD4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%